icmpsh – Simple ICMP Reverse Shell

icmpsh is a simple ICMP reverse shell with a win32 slave and a POSIX-compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine.

The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by and this port is in Python.

Features

• Open source software.
• Client/server architecture.
• The master is portable across any platform that can run either C, Perl or Python code.
• The target system has to be Windows because the slave runs on that platform only for now.
• The user running the slave on the target system does not require administrative privileges.

Running the master

The master is straight forward to use. There are no extra libraries required for the C and Python versions. The Perl master however, has the following dependencies:

• IO::Socket
• NetPacket::IP
• NetPacket::ICMP

When running the master, don’t forget to disable ICMP replies by the OS. For example:

sysctl -w net.ipv4.icmp_echo_ignore_all=1

1	sysctl -w net.ipv4.icmp_echo_ignore_all=1

If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive commands send from the master.

Running the slave

The slave comes with a few command line options as outlined below:

-t host host ip address to send ping requests to. This option is mandatory! -r send a single test icmp request containing the string "Test1234" and then quit. This is for testing the connection. -d milliseconds delay between requests in milliseconds -o milliseconds timeout of responses in milliseconds. If a response has not received in time, the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit. The counter is set back to 0 if a response was received. -b num limit of blanks (unanswered icmp requests before quitting -s bytes maximal data buffer size in bytes

1 2 3 4 5 6 7 8 9 10 11 12 13 14

-t host            host ip address to send ping requests to. This option is mandatory!   -r                 send a single test icmp request containing the string "Test1234" and then quit.                    This is for testing the connection.   -d milliseconds    delay between requests in milliseconds   -o milliseconds    timeout of responses in milliseconds. If a response has not received in time,                    the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.                    The counter is set back to 0 if a response was received.   -b num             limit of blanks (unanswered icmp requests before quitting   -s bytes           maximal data buffer size in bytes

In order to improve the speed, lower the delay (-d) between requests or increase the size (-s) of the data buffer.

You can download icmpsh here:

icmpsh-master.zip

Or read more here.

Share89

Tweet6

Share115

Buffer44

WhatsApp

Email

254 Shares