Every now and then you will be onsite and find a locked down environment and no outbound internet access or DNS from the client systems, but the client systems can ping outbound to the internet. I haven’t up until now needed to do much with ICMP on jobs, as normally there are other ways out. But on a recent internal job for a bank, client systems were all behind a proxy and no direct outbound connections were allowed, but it was possible to ping. If you tell the client it is bad to allow clients to ping, they wont really see this as a big issue. So the best way to get them to listen is show them a nice shell out on the internet. There is a great ICMP Shell script that was forked by Bernardo Damele 2 years ago, I decided to quickly knock up a bash script to automate this tool a bit more for the job I was on. This has now been committed to the official ICMPsh GitHub. ICMPSh is also built into SQLMap as one of the shell options. Download the full tool from here: https://github.com/inquisb/icmpsh git clone https://github.com/inquisb/icmpsh.git It is easy enough to run manually, but it is probably something you will not use everyday so my script makes things a bit easier. Once you have cloned the Git repository you will see a run.sh file, this is my script. Simply run this script (ensure you have all the repo files there too) on the listener attacker box i.e your public attacker system on the internet. All you need to copy to the Windows client is the icmpsh.exe file, A.V wont pick this up. Examples below: Victims Windows machine, in this example this is just two internal VMs. But when doing this on the client get their public IP address by browsing to this site from the client What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more... Full Details to Visit Security Need ::Learn Advance Hacking::
