soicmp Shell over ICMP project

Date: 2005-10-06 (last update: 2006-10-26)
Name: Shell over ICMP project
Current version: v0.5
Status: stable release candidate
Programming language: Python
License: GNU
Author: billiejoex (ITA)
Mail: Web: http://billiejoex.altervista.org

What is Shell over ICMP project (soicmp)?

Soicmp consists of two free and open source applications: one server and one client. It allows a user to connect to a remote shell daemon, by using ICMP protocol instead of classical TCP.
Entirely written in Python, soicmp is a working proof-of-concept to demonstrate that data can be transmitted across a network by hiding it in traffic that normally does not contain payloads.

How does it work?

The soicmp server is a daemon that must be started on the remote server. When the server receives a request from the client it looks into the packet's payload. The payload must respect certain protocol rules. In detail the client must specify:

  • command
  • communication mode (echo|echo/reply)
  • authentication (y|n)

This is an example of a correct payload string sent by client to server:

$CMD
ls -a
$MODE
echo/reply
$PWD
root2005
$END

If the payload matches with the server protocol specification then it will pipe the command to "/bin/sh" or "cmd.exe" and execute it. The server then reads the result from the pipe and sends it back to the client that will print it to stdout.
Moreover every client will send ICMP packets having id equal to the client's current process ID (PID) and will accept only ICMP replies having the same id value. This prevents output to be printed by other client instances running on the same workstation (this argument is also treated in the FAQs section).

Features

  • Platform independent.
  • Possibility to run soicmp daemon on multiple ethernet interfaces simultaneously handling multiple client connections.
  • Possibility to specify the buffer size of outgoing packets.
  • Client side source IP address spoofing.
  • Remote client case-sensitive (plain texted) authentication.
  • Possibility to select two communication types:
    One based on encapsulating command output in unique "one way" ICMP_ECHOREPLY (type 0) packets sent by server to client (see fig. 1).
    Another one that guarantees the correct packets delivering by using the request/response nature of ECHO and ECHOREPLY ICMP packet types (see fig.2)
  • No listening sockets are listed by netstat or similar programs.

Fig. 1: A session using "one way" echo_reply mode:

Client
ICMP type
ICMP id
ICMP seq
ICMP data (buffer size = 14 bytes)
Server
--->
echo_reply
1023
0
 $CMDecho abcdefghi0123456789
$MODEreply$PWDroot2005$END
*
*
echo_reply
1023
1
$OUTabcdefghi
<---
*
echo_reply
1023
2
$OUT0123456789
<---
*
echo_reply
1023
3
 $OUT$END
<---

Fig. 2: A session using echo_request / echo_reply mode (delivering control granted):

Client
ICMP type
ICMP id
ICMP seq
ICMP data (buffer size = 14 bytes)
Server
--->
echo_reply
896
0
 $CMDecho abcdefghi0123456789
$MODEecho/reply$PWDroot2005$END
*
*
echo
896
1
$OUTabcdefghi
<---
--->
echo_reply
896
1
$OUTabcdefghi
*
*
echo
896
2
$OUT0123456789
<---
No response from client. Server retries to send the last undelivered packet:
*
echo
896
2
$OUT0123456789
<---
--->
echo_reply
896
2
$OUT0123456789
*
*
echo
896
3
$OUT$END
<---
--->
echo_reply
896
3
$OUT$END
*

Firewalling and NAT issue

Soicmp works with firewalls that don't drop at least ICMP_ECHOREPLY (type 0) packets or ICMP_ECHO (type 8) if you want to use delivery notification.
Things become harder if you plan to use soicmp on machines running behind a NAT or other sort of gateways. See "What about NAT?" FAQ described later.

Download

SourceForge download page

Installation

To run soicmp you'll need:

  • Python interpreter (recommended version: 2.4).
  • Libcap 0.8 or newer if you're running a *NIX platform.
  • Winpcap 3.1, if you're running a Windows platform.
  • Pcapy 0.10.4 extension module.

...or only Winpcap 3.1 if you plan to use win32 precompiled binaries.
Once you have installed all dependecies just run soicmp client or server as stand alone programs. That's all.

Usage and portability

Soicmp is platform independent. I successfully tested it under Windows XP prof SP2 and Linux Ubuntu Breezy 5.10 and I recently received a report from a guy who successfully used soicmp on a MacOS system but it shouldn't have problems on running under all other BSD and POSIX platforms like FreeBSD or Sun Solaris. In case you have one of these platforms I would be very thankful if you could give me a report of your experience with soicmp.
To run soicmp just unpack it into a directory, and run "/usr/bin/python server.py" or "/usr/bin/python client.py" from command line. If you're using Win32 precompiled binaries, just run "server.exe" or "client.exe" from command prompt.

Note - soicmp uses RAW_SOCKETS on both client and server. You'll need the highest system privileges (root / administrator) to successfully run it.

Another one - If you plan to use IP spoofing feature on a workstation running Windows XP SP2 or higher you can only use "127.0.0.1" as source IP address value. Obviously, if you use this feature, soicmp client won't receive command output back.

Server helper

NAME:
  Shell over ICMP v0.5 (server)

DESCRIPTION:
  A system shell daemon that uses ICMP protocol instead of TCP.

USAGE:
  server.py [opts]

OPTIONS:
  -b, --buffer=       Payload size of outgoing packets (default: 512 bytes).
  -h, --help           Print this help.
  -i, --interface=   Specifies a single interface to listen on (default: all). You can use an
                         alias number or the device's hardware name (e.g. eth1).
  -l, --list             Returns a list of all interfaces assigning them an alias number.
  -L, --logfile=      Activates log on file function (default: no logging).
  -p, --passwd=   Set a (cs) password for remote authentication (default: anonymous login)

EXAMPLES:
  Listen on all interfaces by enabling remote authentication
    server.py -p $Ad&yte992

  Return a list of all available interfaces:
    server.py -l

  Listen on a single interface, enable remote authentication, enable logging:
    server.py -i eth0 -p $Ad&yte992 --logfile=/var/log/soicmpd.log

Client helper

NAME:
  Shell over ICMP v0.5 (client)

DESCRIPTION:
  A remote shell client that uses ICMP protocol instead of TCP.

USAGE:
  client.py [opts] <dest IP>

OPTIONS:
  -c, --command=  Send command directly without using prompt.
  -e, --echo           Ensure delivering control by using ICMP_ECHO packets type.
                           By default it uses ICMP_REPLY packets type. See doc for
                           more informations.
  -h, --help            Print this help.
  -p, --passwd=     Specify a password.
  -s, --spoof=        Use a spoofed IP source address. Note: on recent windows platforms
                           only "127.0.0.1" can be used.

INTERACTIVE SHELL COMMANDS:
  $MODE [r, er]    Change mode (reply or echo/reply).
  $PING               Pings remote server waiting for reply.
  $HELP              Prints this help.
  $EXIT                Close interactive shell and exit.

USAGE EXAMPLES:
  Classical usage with interactive command prompt:
    client.py 192.168.0.44
    client.py --passwd=$oopaNet --echo domain.org

  Directly send a command without using interactive command prompt:
    client.py --command="ls -l" domain.org

  Let's try to use some spoofing:
    client.py -s 192.168.0.252 -c "echo 'hi' > owned.txt" 192.168.0.44

Next features I'd like to implement

  • Binary ICMP data transferring featured with data integrity control.
  • Payload encryption and encrypted authentication.
  • Process injection to hide server process.

 

Screenshots

Fig. 1: A session between a Windows client and a Linux box running soicmp daemon.

Fig. 2: A session between two linux boxes.

FAQs

Why should I use soicmp instead of tools like telnet, ssh or netcat?

Soimp permits to establish a more hidden connection channel with a remote host by using ICMP data injection instead of a classical TCP socket-based connection.
The main advantage of using ICMP data injection technique is that no suspicious ports are opened on the workstation running soicmp daemon.
If you aim to have a secondary access to a remote system, invasive as little as possible, soicmp could reveal a nice tool, otherwise is recommended to use more solid and better-featured solutions that use a 'real' connection oriented protocol like TCP is.

How could an administrator reveals the presence of a soicmpd?

Revealing soicmp is quite simple if an administrator pays attention to the traffic running through the ethernet wire: it is sufficient to run a common software sniffer to reveal the presence of the flowing ICMP packets containing the strings of the arbitrary commands and their output in clear text.

On which network types does soicmp work?
Which network adapters are supported by soicmp?

Soicmp only works on ethernet based networks. If you're using something different from an ethernet interface card, like a modem, soicmp won't work.

Does soicmp can work on loopback (127.0.0.1) devices?

Excepting Windows systems soicmp can work on loopback devices. This is a limitation of Windows systems and not of pcap API.

Why I can use only 127.0.0.1 as spoofed IP source address on Windows XP SP2 platforms?

This is one of the many security limitations that Microsoft has introduced in the last service pack release and that affects the raw sockets API.
I heard that "instead of sending raw IP packets, we can move one layer down and send our raw IP packets in raw ethernet frames" and avoid this problem but I'm still trying to understand how to do a stuff like that. :-)

What about NAT? Can I use soicmp behind it?

If you're using soicmp behind a NAT or other sort of gateways things become quite hard because of the connection-less nature of soicmp.
In this case you could have to forward all incoming ICMP ECHOREPLY packets from the NAT to the internal workstation running soicmp client or server. Depending on communication mode chosen by the client you could also have to forward ICMP_ECHO packets type.
This is surely the biggest limitation that affects all that tools similar to soicmp that use data injection technique over connection-less protocols.

What about the new ICMP id value added in v0.5?

A problem in the previous versions of soicmp was that multiple client instances couldn't run on the same machine because soicmpd outputs was printed by ALL clients. In the newer versions the client will compile ICMP packets having identifier (id) equal to its current process ID (PID).
ICMP packets returned by server will have the same id value so that only the current client instance will accept (and print) them.

How do I run soicmp server in background on Windows?

If you're using soicmp from sources just run (from command prompt) serverw.pyw instead of server.py. If you're using soicmp Win32 binaries use serverw.exe instead of server.exe.

How do I install pcapy extension on Linux?

In order you need to resolve dependencies first. On Linux Debian you can easily do it by using apt:

root@dst:~# apt-get install python-dev gcc g++ libpcap0.8 libpcap0.8-dev make

...then unpack pcapy release into a directory and run "python setup.py install". That's all.

Can I contribute to the development of soicmp project?

Of course you can. You can do so:

  • by improving the source code quality.
  • by trying to implement some ideas I wrote in TODO.TXT file contained in source distribution.
  • by trying to implement ideas of yours.
  • by trying soicmp and mailing me your report about your experience with it or simply by reporting me a bug.
  • The source code is well commented, thus it should be easy to follow the flux of the program if you have a basic knowledge of Python programming language.

 

billiejoex 2006-10-26