Embed AES-256-GCM encrypted data inside packets indistinguishable from real OS pings. Multi-packet stealth reassembly, bidirectional C2 shell, APT timing profiles, OS signature mimicry — built for authorized red team operations.
ICMP as a covert channel with military-grade crypto and SOC-grade evasion.
Three AEAD algorithms (AES-256-GCM, ChaCha20-Poly1305, XOR-CFB-HMAC) with PBKDF2-SHA256 key derivation. Fixed per-algorithm salts enable deterministic key generation from a shared password — no key exchange needed.
Replicates byte patterns of real Linux ping (56-byte sequential) or Windows ping (32-byte alphabetic). Encrypted data is XOR-embedded into the authentic pattern. From the network, it looks like a standard ping.
Interactive shell over ICMP. Operator sends CMD:<id>:<command> packets; agent executes and replies RESP:<id>:<rc>:<stdout>. Entire exchange is encrypted.
Chunks any file into encrypted ICMP packets with ±25% size jitter per chunk. When stealth mode is active, each chunk is split across multiple 64-byte pings (indistinguishable from ping -s 56) with a 4-byte hidden fragment header. The listener reassembles all fragments before decryption.
Lazarus (5 min–1 hr), APT29 (30 min–2 hr), APT28 (10–30 min), Equation Group (1–3 days). Per-chunk adaptive delay blends long-running exfiltration into legitimate background traffic.
Checks system uptime, process count, and available resources on startup. Aborts before sending a single packet if sandbox indicators are detected. Thresholds configurable via config/ping-007.yml.
Requires Go 1.25+ and root / CAP_NET_RAW. All commands need raw ICMP socket access.
Build
Send an encrypted message
Without -p — what NOT to do
| Command | Flag | Default | Description |
|---|---|---|---|
| global | -p / --password | — | Shared password — required for interoperable crypto |
| global | --no-banner | false | Suppress JSON logs and startup banner |
| basic | -t / --target | required | Target IP address |
| basic | -d / --data | — | Inline data to transmit |
| basic | --signature | linux | OS ping pattern: linux, windows, none |
| basic | --delay | 0 | Pre-send delay: 2s, 500ms |
| basic | --human-timing | false | Random 1–5s intervals between packets |
| basic | --ultra-stealth | false | All evasion techniques combined (timing + size + pattern) |
| basic | --decoy-pings | 0 | Send N clean OS-pattern pings before data to blend into traffic |
| basic | --after-pings | 0 | Send N clean pings after data to close session naturally |
| basic | --ping-interval | 1s | Interval between pings in a sequence (mirrors real ping) |
| basic | --no-encrypt | false | Send plaintext — no encryption, no encoding (raw bytes in ICMP) |
| basic | --encode | false | Base64-encode payload only (lower entropy than AES, no confidentiality) |
| exfil | -f / --file | required | File to exfiltrate |
| exfil | --mode | stealth | stealth (5–30s gap), fast (no delay), covert (30–120s gap) |
| exfil | --chunk-size | 512 | Base chunk size in bytes (±25% jitter applied per chunk) |
| exfil | --no-encrypt | false | Plaintext payload (no crypto) |
| exfil | --signature | linux | OS signature for TTL mimicry: linux (TTL=64), windows (TTL=128), none |
| shell | --mode | interactive | interactive (C2 over ICMP) or batch (local execution only) |
| shell | --jitter | 0 | Max random delay before each command packet (e.g. 3s); breaks metronomic C2 beacon detection |
| listen | -o / --output | ./received | Output directory for received files |
| listen | --method | icmp_tunnel | icmp_tunnel or shell (C2 agent mode) |
| listen | --timeout | 60 | Timeout in seconds |
| listen | -q / --quiet | false | Suppress per-packet output (for real ops — verbose logging is an OPSEC risk) |
| apt | -r / --profile | required | lazarus | apt29 | apt28 | equation |
| apt | --duration | 60 | Simulation duration in seconds |
Three AEAD algorithms with deterministic PBKDF2 key derivation. Algorithm auto-detected by receiver from 4-byte wire header.
| Algorithm | Key | Auth | Salt (fixed) | Status |
|---|---|---|---|---|
| AES-256-GCM | 256-bit | AEAD | ping007-aes-salt-v1 |
Active |
| ChaCha20-Poly1305 | 256-bit | AEAD | ping007-chacha20-salt-v1 |
Active |
| XOR-CFB + HMAC-SHA256 | 256-bit | HMAC | ping007-xor-salt-v1 |
Active |
| ECDH P-256 key exchange | — | — | — | TODO |
The salt is fixed and baked into the binary. Security relies entirely on password strength — a weak password is weak regardless of 100k PBKDF2 iterations. Use at least 20 random characters. Rotate between operations.
Implemented techniques only. Nothing here is theoretical.
Linux: 56-byte, 0x08,0x09,…
Windows: 32-byte, abcdefgh…
Data XOR'd into real pattern
Always 64 bytes on the wire
Large payloads → N×64-byte pings
4-byte frag header hidden in XOR zone
[0xA7][session][frag_id][total]
Receiver reassembles before decrypt
TTL: 64 (Linux) / 128 (Windows)
ICMP ID: crypto/rand per session
Seq: crypto/rand start
Breaks OS fingerprinting
--human-timing
Random 1–5s between packets
1s ±10% jitter within frags
5–120s inter-chunk gaps
--decoy-pings / --after-pings
Clean OS pings wrap the data
Makes isolated ICMP events disappear
Shell: --jitter breaks beacon timing
Algorithm random at session start
AES / ChaCha20 / XOR-CFB-HMAC
First ciphertext byte varies
Breaks cross-session PCAP correlation