ping-pwn — Writing an ICMP Shell for Linux using ICMP tunnels & Scapy


An ICMP tunnel (also known as ICMPTX) establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets.

ICMP tunnels can be used to bypass firewalls rules through obfuscation of the actual traffic. Without proper deep packet inspection or log review, network administrators will not be able to detect this type of traffic through their network. Even mature SOCs generally do not monitor ICMP traffic, I have had a lot of success with this in locked down PCI-DSS environments.


The idea of encapsulating data and commands in ICMP traffic to create a stealthy remote control channel was first popularised by the tool Loki, which was described in Phrack Magazine in 1996. The Tribe Flood Network (TFN) botnet, analysed by David Dittrich in 1999, used a similar ICMP-based scheme for remotely controlling infected systems.

This Code

This is a work in progress and code I have used on pci-dss tests for years. Caveat: You need elevated permissions to create raw sockets in Linux, there used to be a bug in Linux that allowed a low-priv user to do so but I have not verified if it’s still there or not, I doubt it. What this is good for is covert communications on a host you have elevated permissions on, let’s say you made it all the way in without tripping alarms but now you want to exfil, then an ICMP shell is exactly what one may want.

FYI There is a an awesome Windows version that has been around for a long time…inquisb/icmpsh
Simple reverse ICMP shell. Contribute to inquisb/icmpsh development by creating an account on


I am taking part in a CTF and I have not had time to comment code, but I will get back to this and update it asap.

The Code