ICMP Shell
By: Peter Kieltyka
http://peter.eluks.com / peter@eluks.com

Current release: v0.2

Download | Project Summary


What is ICMP Shell?
ICMP Shell (ISH) is a telnet-like protocol. It allows users to connect to a remote host and to open a shell using only ICMP to send and receive data. ICMP Shell was written in C for the UNIX environment.

How does it work?

The ISHELL server is run in daemon mode on the remote server. When the server recieves a request from the client it will strip the header and look at the ID field, if it matches the server then it will pipe the data to "/bin/sh". It will then read the results from the pipe and send them back to the client and the client prints the results to stdout.

By default the client and server send packets with an ICMP type of 0 (ICMP_ECHO_REPLY), however this can be changed on both the client and server side. ISHELL does not care what type you send out from the client or server end, the types do not have to match.

ISHELL does not only pipe commands to a server and send back the output. It also works with interactive programs (ie. gdb). However, there comes a minor problem from this. ISHELL cannot display a shell prompt (#). The reason for that is because there is no way to differentiate between a command an interaction with a program. If you have any ideas on how to implement that then I'd be more then happy to hear from you ;)

Firewall? No one said anything about a firewall!
By default ISHELL uses icmp type 0 (ICMP_ECHO_REPLY) to send/recv. With a little bit of research I have found that icmp type 0 works best with this program. Other types do work, however some kernels process ICMP_ECHO_REQUEST packets automatically (BSD) while others do not (Linux).

Call 'make' and follow the instructions.

MD5 (ish.c) = 07934540ee7ca6ac7919bb1ea49fd7ff
MD5 (ish_main.c) = e2885ef2eb7688caff9b45f8c81daf8f
MD5 (ish_open.c) = 81b11fce190a321a02b5313b1b244aa7
MD5 (ishd.c) = de574728574dc3a8d5389172ca4e3b6a
MD5 (ishell.h) = 380b110ba648164a82a0ffddbb0920f9

The server/client have been tested on:
- Linux Mandrake 8.1 x86
- FreeBSD 4.4 x86
- OpenBSD 3.0 x86
- Solaris 8 sparc

Some IMPORTANT words on the usage
1.) ISHELL uses raw sockets on both the client and server side, therefore root privileges ARE REQUIRED to use this program.

2.) When configuring the options for the server/client make sure the following options are the same on both the client and the server:

-i <id>
-p <packetsize>

Usage: Server
ICMP Shell v0.1 (server) - by: Peter Kieltyka
usage: ./ishd [options]

-h Display this screen
-d Run server in debug mode
-i <id> Set session id; range: 0-65535 (default: 1515)
-t <type> Set ICMP type (default: 0)
-p <packetsize> Set packet size (default: 512)

./ishd -i 65535 -t 0 -p 1024

Usage: Client
ICMP Shell v0.1 (client) - by: Peter Kieltyka
usage: ./ish [options] <host>

-i <id> Set session id; range: 0-65535 (default: 1515)
-t <type> Set ICMP type (default: 0)
-p <packetsize> Set packet size (default: 512)

./ish -i 65535 -t 0 -p 1024 host.com