• XSS.stack #1 – первый литературный журнал от юзеров форума

[SOURCE] Linux rootkit

В этой теме можно использовать автоматический гарант!

Новая сделка
Статус
Закрыто для дальнейших ответов.
Отслеживать
SeviuM

SeviuM

RAID-массив
Забанен
Регистрация
05.12.2021
Сообщения
56
Реакции
1
Пожалуйста, обратите внимание, что пользователь заблокирован

SyM Linux Rootkit
SyM is a universal user-mode Linux rootkit that will sustainability hold root persistence across all Linux kernel versions, and will successfully bypass any EDR or rootkit detection software. SyM will also come with a plethora of features capable of stealing important files such as SQL database backups, .git, and other configuration files; And much more. Along with being the first of it's kind SyM implements some API system call hooking that has never been seen before which makes it such a unique, and undetectable rootkit experience.

C&C / C2 / backdoor methods:
  • ICMP backdoor
    Use a unique magic identifier to open a reverse shell
  • accept ( ) backdoor
    Use a unique magic identify to open a listening TCP server
  • PAM backdoor
    Direct interactive SSH backdoor with custom hidden port, username, and password

Internal System Logging:
  • SSH Log
    Log all incoming and outgoing SSH authorizations in plaintext by hooking pam_vprompt, read, and write API calls
  • Execution Log
    Log all normal ( including root ) user command execution flow

Hiding Self / Rootkit
  • Hide all files, processes, open ports, and all connections based on unique magic identifier
  • Hide process map files, to prevent direct mapping of process and being able to identify rootkit
  • Hide any file, or directory of choice
  • All rootkit master created directories and files will be kept track of, so no need to manually add or edit anything to keep it hidden!
  • Note: It is possible to forge or fake as any other installed software, service, or similar

EDR Bypass / Evasion
  • Hooking API calls to hide it's self from / proc * / * maps as well as many other system locations
  • Bypassing SELinux and GRSec
  • Bypasses and hides from SentinelOne and other similar software

File Stealer
  • By scanning and keeping tracking of a user made list of interesting files and directories the rootkit is capable of stealing anything on the fly and uploading it directly to an external server
  • Stuff like SQL databases are stolen automatically by default!

Pricing
  • Source Code: $5000

Contact
 
Последнее редактирование модератором:
Пожалуйста, обратите внимание, что пользователь заблокирован
Add socks5 revers-proxy function - it`ll be great for start pentesting AD network from linux box which got fucked on the DMZ. Add socks5 or any tunnel will be welcom 100%. Good job anyway. You are welcom here
 
Пожалуйста, обратите внимание, что пользователь заблокирован
snoww сказал(а):
Add socks5 revers-proxy function - it`ll be great for start pentesting AD network from linux box which got fucked on the DMZ. Add socks5 or any tunnel will be welcom 100%. Good job anyway. You are welcom here
I already have a socks5 module written, any modules that people need written I can write easily.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
There is, but lets not compare a (nice) toy on github to what you've made here. Some of the features sound rather interesting, as is the support for a broad range of kernels (different architectures also?). I only asked about zpoline because I was wondering about Linux EDRs (I've not encountered SentinelOne myself, but I've heard of it, I assume its a LKM?). For sure some really clever stuff in there.
  • Log all normal ( including root ) user command execution flow
What if I'm using zsh? I'm trying to read between the lines here.
  • Hide process map files, to prevent direct mapping of process and being able to identify rootkit
This is cool.
  • Note: It is possible to forge or fake as any other installed software, service, or similar
Does this use ptrace by any chance? Saw a very neat way of doing this relatively recently.

The rootkit sound top quality, would love to know a few more technical details but I'm sure it's something you'd prefer to discuss in private (I'm not in the market for one myself, but if I was I'd be interested)

If you're the sort who actually needs to worry about 3rd party EDR systems the I'd say this sounds rather convincing...


[EDIT]
Ahahah. I only found a replacement llink - it's an article I've read before. Feel a bit silly now. Rave reviews and they appear to have missed half of the functionality. V.nice I'm sure it's well worth the money.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
snoww сказал(а):
Add socks5 revers-proxy function - it`ll be great for start pentesting AD network from linux box which got fucked on the DMZ. Add socks5 or any tunnel will be welcom 100%. Good job anyway. You are welcom here
also cron like autostart on reboot would be good
 
Closed. Reason: https://xss.pro/threads/94982/

бегло просмотрел файлы: судя по таймстампам - софт 2018 года; похоже на то, что основная цель софта - VMWare ESXI; также там есть пачка эксплоитов для повышения привилегий и один клёвый "универсальный" в бинарном виде судя по стилю письма в его описании, кажется, я знаю, кто автор :D
интересный софт, спасибо.
ну и да, скорее всего SeviuM - кидок и продал тебе паблик или перепродал старьё. ни о каком "в одни руки" не может быть и речи.

апдейт: забыл написать, что исходники неполные и основной функционал руткита предоставлен в бинарном виде, так что особой ценности софт не представляет. разве что скомпилированные эксплоиты могут пригодиться, да и то они до 2018го года.

Why SeviuM wasn't banned? Nobody created a complaint.

admin
 
Статус
Закрыто для дальнейших ответов.
Верх