Total Pageviews

Friday, 8 November 2019

WiFi Covert Channel -GhostTunnel


Golang version of Ghost Tunnel, or called Wifi Covert Channel.
Hide backdoor payload in 802.11 Probe-req and Beacon Frame.
No actual WiFi connection is required.

Usage

Server

# ./server-linux64 -iface your-monitor-mode-adapter
Compile requirements: gopacket, libpcap or winpcap

Client

Client uses system native WiFi api, so we don't need privilege and additional dependency.
Simply run the client.exe. But I strongly recommend to use P4wnP1 to ship it!
Tips:
Maybe the fastest way is running a HID script to download the malware from P4wnP1's HTTP Server :-)
from https://github.com/AmyangXYZ/GhostTunnel-Go
------

GhostTunnel

GhostTunnel is a covert backdoor transmission method that can be used in an isolated environment. It can attack the target through the HID device only to release the payload (agent), then the HID device can be removed after the payload is released.
GhostTunnel use 802.11 Probe Request Frames and Beacon Frames to communicate and doesn't need to establish a wifi connection. Exactly, it communicates by embedding data in beacon and probe requests. We publish the GhostTunnel server and windows agent implemented in c/c++. The agent doesn't need elevated privileges, it uses the system wifi api to send the probe request and receive the beacon. such as on windows, uses the Native WiFi API. So you can implement the corresponding agent on other platforms. The server runs on linux, you need one or two usb wifi card that supports monitor mode and packet injection to run it.

Advantages

  • Covertness.
  • No interference with the target’s existing connection status and communications.
  • Can bypass firewalls.
  • Can be used to attack strictly isolated networks.
  • Communication channel does not depend on the target’s existing network connection.
  • Allow up to 256 clients
  • Effective range up to 50 meters
  • Cross-Platform Support.
  • Can be used to attack any device with wireless communication module, we tested this attack on Window 7 up to Windows 10, and OSX.

Usage

Server

Only need one or two wireless network cards that supports packet injection and monitor mode, like TP-LINK TL-WN722N, Alfa AWUS036ACH.
Usage:
 ./ghosttunnel [interface]
 ./ghosttunnel [interface1] [interface2]

 COMMANDS:
  sessions = list all clients
  use = select a client to operate, use [clientID]
  exit = exit current operation
  wget = download a file from a client, wget [filepath]
  quit = quit ghost tunnel
  help = show this usage help

Client

Release the payload to the target system (only windows client published) and execute it.

Demo

https://www.youtube.com/watch?v=2s7qFLCafSI

Function Implementation

  • Shell command Create a remote shell.
  • Download file The file maximum size limit is 10M and can only download one file at a time.
  • You can add other functions as needed.

Building

Server Requirements

sudo apt-get install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev

Compiling

server:
 cd src
 make
windows client:
 Microsoft Visual Studio 2015 
For Nethunter(tested on Nexus5):
  • Add #include on the top in gt_server.cpp
  • apt-get install libpcap0.8-dev
  • cd src && make

Thanks

from https://github.com/PegasusLab/GhostTunnel