Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/lucadibello/weaponizedping
🔫 A weaponized ping implementation that includes concealed data in the packet payload.
https://github.com/lucadibello/weaponizedping
exploit icmp-tunnel ping pinger python3
Last synced: 3 months ago
JSON representation
🔫 A weaponized ping implementation that includes concealed data in the packet payload.
- Host: GitHub
- URL: https://github.com/lucadibello/weaponizedping
- Owner: lucadibello
- Created: 2022-05-25T10:59:05.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-05-26T07:20:54.000Z (over 2 years ago)
- Last Synced: 2024-10-11T10:21:33.738Z (4 months ago)
- Topics: exploit, icmp-tunnel, ping, pinger, python3
- Language: Python
- Homepage:
- Size: 23.4 KB
- Stars: 3
- Watchers: 3
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# WeaponizedPing
A weaponized ping implementation that includes concealed data in the packet payload.
https://user-images.githubusercontent.com/37295664/170271191-03a97a88-b1df-4bbf-9055-1da621bcaa8d.mp4
## Exploit understanding
This vulnerability exploits the fact that ICMP Echo Request packets have a significantly greater MTU than is required.
Because an ICMP packet has a maximum MTU of 1500 bytes, subtracting the bytes required to send the header leaves 1472 bytes of payload space left to
contain any data we wish (it has no format to comply with).
This is an ICMP Echo Request packet generated by the classic "ping" command found in every operating system:
The payload of this packet is only **48 bytes**.
This, on the other hand, is a packet generated by weaponized ping:
Instead, the payload of this packet is **520 bytes**. As mentioned earlier, within the payload of a weaponized ping any information can be included, in this case the following information is sent:
- MAC Address of the main network card
- Information about all network cards in the system (ip address, subnet mask, broadcast address)
- Public IP address
- DNS servers used
## Security
The data sent within the payload is encrypted using an RSA-4096 public key.
For a generation of the key pair needed to send data securely, you can run the `keygen.py` script found in the `utility` folder:
```shell
python3 utility/keygen.py
```
This script will generate the following files within the current working folder:
- `receiver.pem`
- Public key
- `private.pem`
- Private key
## Decrypt payload
Once the attacker manages to intercept the packet generated by the weaponized ping, and succeeds in exporting
the contents of the payload within a file (see video demonstration for more information), it is possible to perform
decrypt the information using the `decrypt-dump.py` scripty found in the `utility` folder, specifying the
location of the dump to be decrypted and the associated private key needed:
```bash
python3 utility/decrypt-dump.py -k -f
```
## Weaponized payload example
This is an example of a payload (decrypted) sent to the attacker:
```text
b"3E:22:FB:BE:86:0F|en0:[{'addr': '10.21.48.210', 'netmask': '255.255.240.0', 'broadcast': '10.21.63.255'}]|en1:[{'addr': '82:5c:4e:23:14:01'}]|en2:[{'addr': '82:5c:4e:23:14:00'}]|awdl0:[{'addr': 'b2:8e:f0:97:d1:15'}]|llw0:[{'addr': 'b2:8e:f0:97:d1:15'}]|en3:[{'addr': 'ac:de:48:00:11:22'}]|en8:[{'addr': '169.254.81.191', 'netmask': '255.255.0.0'}]|en9:[{'addr': '169.254.189.118', 'netmask': '255.255.0.0'}]||DNS:195.176.49.70,195.176.49.72|PUBLIC:195.176.44.50"
```
Each type of information in the payload is separated by a pipe ('|') to facilitate its extraction/reading by the user. This is the order of the information present:
1. Mac Address
2. Information related to the network interfaces
3. DNS Servers
4. Public IP