jm33-m0
commented
2 years ago 感谢建议,为了方便更多人阅读,我下面用英文回复
Thanks for the suggestion. Currently I am working on the functionality of emp3r0r, so host level hiding is not being developed further.
In terms of host level hiding, we are essentially deceiving the system utilities, the most effective way of doing this is take control of the kernel since all common tools run in user space, which required higher privileges.
For LKM I will weaponize it further in the future, hopefully it will solve all your concerns.
Several thoughts:
- Start the whole thing from a library which can be easily loaded into any process, this requires an custom ELF interpreter. By doing this your don't need a process to perform your work, you work inside an existing process.
- If you simply want to hide from humans, you can just kill your process and remain silent when not needed, that way 90% of the time you are safe. Actually emp3r0r has a "C2 indicator" doing just that (not on host level, though).
- Obfuscate your process, meaning you name it so no one can easily tell what's wrong. For now empr3r0r randomizes most things, making it harder to detect, at least harder for automatic scanners.
- Don't worry about ports, there are plenty of random ports open on any Linux machine, you just need to make it harder to recognize
- Admins manage more than one hosts, so host level hiding is not enough, or not even important when there's no one looking
一直在关注您的这个项目。 现在Linux c2 agent最大的短板就是隐藏IP连接 隐藏进程和文件 就这3个差不多了 不然做后渗透一个命令 netstat -untp就会发现可疑进程和连接 然后结束进程 木马就掉了 权限就没了 很抱歉和您提这些 就是您的项目真的很完美 我从freebuf关注您到现在 就是我自己没有太新颖的思路隐藏(或者自己借助第三方工具隐藏等)。但我发现您的项目 也有可以隐藏的项目开发 有lkm和用户级的隐藏 我觉得隐藏是所有Linux远控的一大痛点,如果这个项目能把这个做好 之前的emp3r0r项目的agent某版本好像会本地开个端口,也很容易被运维的发现。 虽然这个项目任然很完美 但我为什么和您说 就是希望他更完美 他的功能完爆所有Linuxcc 这个只是我个人短浅之见 谢谢您您能够看到我的提交。