Covert Backdoor Transmission Method

GhostTunnel is a covert backdoor transmission method which may be utilized in an isolated environment. It can attack the goal through the HID device only to release the payload (agent), then the HID device can be eliminated following the payload is discharged.

GhostTunnel uses 802.11 Probe Request Frames and Beacon Frames to convey and does not need to establish a wifi connection. Exactly, it communicates by embedding information in beacon and probe requests. We print the GhostTunnel windows and server agent employed in c/c++. The agent doesn’t require elevated privileges, it uses the machine wifi API to ship the probe request and get the beacon. Such as on windows, uses the Native WiFi API. That means that you may apply the corresponding agent on other platforms. The server runs on linux, you want one or two USB wifi card that supports monitor mode and packet injection to conduct it.



  • No interference with the goal’s existing connection communications and status.
  • Can bypass firewalls.
  • May be used to assault strictly isolated networks.
  • Communication station doesn’t depend on the target’s existing network connection.
  • Allow up to 256 clients
  • Effective range up to 50 meters
  • Cross-Platform Support.
  • Can be used to attack some device with the wireless communication module, we tested this attack on Window 7 up to Windows 10, and OSX.



  • Server Only need one or two wireless network cards which supports packet injection and track style, like TP-LINK TL-WN722N, Alfa AWUS036ACH. Usage:
    . /ghosttunnel [interface]
    . / / ghosttunnel [interface1] [interface2]
     	sessions = listing all clients
     	utilize = select a customer to operate, utilize [clientID]
     	exit = exit current operation
     	wget = download a file from a customer, wget [filepath]
     	stop = quit ghost tube assistance = show this usage assistance
  • Client Release that the payload to the target system (just windows customer printed ) and implement it.

Function Implementation

  • Shell command Produce a remote shell.
  • Download file The file maximum size limitation is 10M and may only download 1 file at one time.
  • You can add other functions as needed.

Server RequirementsApt-get install pkg-config libnl-3-dev libnl-genl-3-dev

You May Also Like

About the Author: Steve West