Every now and then you will be onsite and find a locked down environment and no outbound internet access or DNS from the client systems, but the client systems can ping outbound to the internet.

I haven’t up until now needed to do much with ICMP on jobs, as normally there are other ways out. But on a recent internal job for a bank, client systems were all behind a proxy and no direct outbound connections were allowed, but it was possible to ping.

If you tell the client it is bad to allow clients to ping, they wont really see this as a big issue. So the best way to get them to listen is show them a nice shell out on the internet.

There is a great ICMP Shell script that was forked by Bernardo Damele  2 years ago, I decided to quickly knock up a bash script to automate this tool a bit more for the job I was on. This has now been committed to the official ICMPsh GitHub. ICMPSh is also built into SQLMap as one of the shell options.

Download the full tool from here:

https://github.com/inquisb/icmpsh

git clone https://github.com/inquisb/icmpsh.git

It is easy enough to run manually, but it is probably something you will not use everyday so my script makes things a bit easier.

Once you have cloned the Git repository you will see a run.sh file, this is my script. Simply run this script (ensure you have all the repo files there too) on the listener attacker box i.e your public attacker system on the internet. All you need to copy to the Windows client is the icmpsh.exe file, A.V wont pick this up.

Examples below:

Victims Windows machine, in this example this is just two internal VMs. But when doing this on the client get their public IP address by browsing to this site from the client http://www.whatismyipaddress.com

victim

Attackers public system with ICMPsh tool.

attacker1

Enter the victims public IP address that will send the outbound request.

attacker-listen

The script will check if your attacker system has ICMP replies enabled, if it does it will mess the shell output up. The script will check and temporarily disable this for you.

It will give you the exact command to run on the victims Windows system to connect to your public attacker box. All you need to copy to the victim system  is the icmpsh.exe file.

victimrun

Run the command on the victim system and you will then see an inbound shell appear over the internet on your attacker system.

shell

We now have a shell via ICMP. The only traffic that will be seen is ICMP requests/responses.

When you exit the shell, it will re-enable ICMP replies (if it disabled them for you).

exit