Additional trigger (tcp_receive_reset)

krisnova / boopkit

Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.

Apache License 2.0

1.57k stars 170 forks source link

Additional trigger (tcp_receive_reset) #4

Closed krisnova closed 2 years ago

krisnova commented 2 years ago

Because of #3 we need to entertain alternative triggers other than tcp_bad_csum.

We can consider trying another trigger mechanism (tcp_receive_reset) which will allow the trigger to establish a TCP connection with the server, and midway through the TCP handshake send a reset.

I need to research how far along in the TCP handshake we need to be in order to trigger the eBPF probe. Regardless, most TCP connections will allow for a full handshake and data transmission regardless of authentication status. This is how SSH, Kubernetes, etc works.

krisnova commented 2 years ago

This is now complete with the latest commits.

I tested the tcp_receive_reset eBPF probe over SSH and was able to trigger the tracepoint.

OpenSSH_8.9p1, OpenSSL 1.1.1m  14 Dec 2021

In other words, there is now a second method to "boop" a server for situations where the bad checksum vector is not viable. This will run automatically with the trigger. The trigger will even use SOCK_STREAM to validate that a host is online before using SOCK_RAW to trigger the manual reset.