GhostTunnel is a covert backdoor transmission method which may be utilized within an isolated environment. It may attack the target through the HID device only to launch the payload (agent), then the HID device can be removed following the payload is released.
Exactly, it communicates by copying information in beacon and probe asks. We publish the GhostTunnel server and windows broker employed in c/c++. The broker doesn’t need elevated privileges, it uses the system wifi API to ship the probe request and receive the beacon. Like on windows, utilizes the Native WiFi API. That means you can apply the corresponding agent on other platforms. The server runs on Linux, you need a couple of USB wifi card that supports monitor mode and packet injection to conduct it.
- No interference with the goal’s existing connection status and communications.
- Can skip firewalls.
- Can be used to attack strictly isolated networks.
- Communication channel does not depend on the target’s present network link.
- May be used to attacking some device with a wireless communication module, we tested this attack on Window 7 around Windows 10 and OSX.
- Server Just needs one or two wireless network cards that support packet detection and monitor mode, such as TP-LINK TL-WN722N, Alfa AWUS036ACH. Usage:
. /ghosttunnel [port ] . / / ghosttunnel [interface1] [interface2] COMMANDS: sessions = list all customers use = select a customer to operate, use [clientID] exit = exit present operation wget = download a document from a customer, wget [filepath] stop = quit ghost tunnel help = show this use help
- Client Release the payload to the target system (only windows customer printed ) and execute it.
- Shell command Produce a remote shell.
- Download file The file maximum size limitation is 10M and can only download one file at a time.
- You’ll be able to add other functions as needed.
Server Requirements Apt-get put in pkg-config libnl-3-dev libnl-genl-3-dev