Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
ssheater-1.1.tar.gz |
Description:
|
SSHeater is a program that infects the OpenSSH daemon in run-time in order to log all future sessions and implement a backdoor where a single password, chosen by the user, can log into all accounts in the system. There's a log parser included in the package that can display authentication information about sessions as well as play the session just like TTYrec/play.
| | Author: | Barros | | Homepage: | http://www.gotfault.net/ | | File Size: | 16852 | | Last Modified: | Apr 6 15:09:49 2006 |
| MD5 Checksum: | 584353ff41ac6ad6a59f87eaa8b05340 |
|
| /// File Name: |
cd00r.c |
Description:
|
cd00r.c is a proof of concept code to test the idea of a completely invisible (read: not listening) backdoor server. Standard backdoors and remote access services have one major problem - the port's they are listening on are visible on the system console as well as from outside (by port scanning). To activate the remote access service, one has to send several packets (TCP SYN) to ports on the target system. Which ports in which order and how many of them can be defined in the source code.
| | Author: | FX | | Homepage: | http://www.phenoelit.de/ | | File Size: | 16605 | | Last Modified: | Jun 13 17:29:23 2000 |
| MD5 Checksum: | f7d023c9bfa342c440262beb65dd105e |
|
| /// File Name: |
Netstat.zip |
Description:
|
Netstat.zip is a fake windows netstat which can hide certain network connections. Requires renaming the original netstat.
| | Author: | Digital Fire | | File Size: | 15843 | | Last Modified: | Apr 24 20:18:22 2001 |
| MD5 Checksum: | 97d5d9a6abab7e7c5a2b97e38252db12 |
|
| /// File Name: |
tunnelshell_v1.tgz |
Description:
|
Tunnelshell is a client-server backdoor which uses fragmented packets to traverse firewalls. Written in C, tested on Linux.
| | Author: | Fryx | | File Size: | 15410 | | Last Modified: | Jan 31 02:18:07 2002 |
| MD5 Checksum: | d85e5b237d50e8eac3adc6a84bc13157 |
|
| /// File Name: |
knark-0.59.tar.gz |
Description:
|
Knark is a kernel based rootkit for Linux 2.2. Hides files in the filesystem, strings from /proc/net for netstat, processes, and program execution redirects for seamlessly bypassing tripwire / md5sum.
| | Author: | Creed | | Changes: | Remote command execution. | | File Size: | 15169 | | Last Modified: | Nov 21 01:12:10 1999 |
| MD5 Checksum: | adde1bb47d9e45237e83d85f8d48098f |
|
| /// File Name: |
tcpd-byp.tar.gz |
Description:
|
Modified tcp wrappers which bypass restrictions in hosts.deny and hosts.allow.
| | Author: | God- | | Homepage: | ftp://haxordot.org/pub/god-/ | | File Size: | 14905 | | Last Modified: | Aug 5 23:07:04 2000 |
| MD5 Checksum: | ac6a784b6ca87296554ef4544558b0d3 |
|
| /// File Name: |
adore-0.42.tgz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Added devpts fix, fixed is_secret64() to properly hide files, and fixed a memory leak. | | File Size: | 14749 | | Last Modified: | Sep 19 18:18:14 2002 |
| MD5 Checksum: | 156ded13d5e16b84a9e31193bc9bc417 |
|
| /// File Name: |
adore-0.39b4.tgz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Now includes open()/stat() redirection and improved netstat hiding. Removed execution redirection. | | File Size: | 14678 | | Last Modified: | Jul 29 05:48:33 2001 |
| MD5 Checksum: | 777cbd2a59268b394b79da2bda910a40 |
|
| /// File Name: |
sun-5.5.1.zip |
Description:
|
Solaris 2.5.1 rootkit.
| | File Size: | 14587 | | Last Modified: | Aug 16 20:06:53 1999 |
| MD5 Checksum: | ebf975690e348e10295a463ab13c5229 |
|
| /// File Name: |
adore-0.38.tar.gz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Added 64bit FS support, now fools protection modules as StMichael, and minor fixes. | | File Size: | 14316 | | Last Modified: | May 25 18:17:46 2001 |
| MD5 Checksum: | 72e80f9fa6ebe9358f7fd0358c8e959f |
|
| /// File Name: |
ezmal-0.2.zip |
Description:
|
EZMal is a Mac OS X Trojan Kit that will attach a persistent bindshell to applications.
| | Author: | microphone8000 | | File Size: | 13952 | | Last Modified: | Jul 30 22:57:19 2008 |
| MD5 Checksum: | 1af27ee2d196b8eccedf3762e3a16c01 |
|
| /// File Name: |
ntbindshell.zip |
Description:
|
Ntbindshell is a lightweight (24k compiled) cmd.exe backdoor for Windows. Full C source included. Provides two modes of operation - standard (listening mode) or reverse-connect mode. Includes the ability to install itself as a system service, providing a shell with LocalSystem privileges.
| | Author: | Christophe Devine | | File Size: | 13548 | | Last Modified: | Oct 20 21:54:48 2003 |
| MD5 Checksum: | f9263c604245a5fdff0843915d6936c4 |
|
| /// File Name: |
adore-0.34.tgz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Improved 2.4 support, better authentication checking, permanent PID removal, configure script, experimental exec redirection for i386. | | File Size: | 13470 | | Last Modified: | Mar 26 19:50:38 2001 |
| MD5 Checksum: | 69b3453f1fb1650388fc63297652d221 |
|
| /// File Name: |
trNkitv1.0r.tar.gz |
Description:
|
trNkit v1.0 -Release- (beta). Includes patched versions of du, locate, netstat, ps, pstree, top, w, and who.
| | Author: | turnrightNever | | File Size: | 13353 | | Last Modified: | Jan 25 02:14:22 2002 |
| MD5 Checksum: | 30e6999a115ab145c17d2351744c1bda |
|
| /// File Name: |
Phantasmagoria.tgz |
Description:
|
Phantasmagoria hides tasks without modifying syscalls in Linux kernel v2.4. Includes a paper "Smashing The Kernel For Fun And Profit" and proof of concept code.
| | Author: | Dark Angel | | File Size: | 13061 | | Last Modified: | Sep 6 00:26:23 2002 |
| MD5 Checksum: | a278f9b3307f3c37c9c9d1247f110575 |
|
| /// File Name: |
knark-0.50.tar.gz |
Description:
|
Knark is a kernel-based rootkit for Linux 2.2. Hides files in the filesystem, strings from /proc/net for netstat, processes, and program execution redirects.
| | Author: | Creed | | File Size: | 12856 | | Last Modified: | Nov 15 19:49:25 1999 |
| MD5 Checksum: | 93b4d72822ac6b8cd5346542ae7804f8 |
|
| /// File Name: |
cisco-ack-proof-concept.tgz |
Description:
|
This document contains details on a proof-of-concept white paper on how to circumvent Cisco access-lists which rely on only permitting "established" TCP sessions by establishing communications between a client and server (included) which never uses the SYN bit. Works on any firewall that accepts all packets without the syn bit.
| | Author: | Codex | | Homepage: | http://www.phate.net/docs/security/ | | File Size: | 12711 | | Last Modified: | May 31 18:23:32 2000 |
| MD5 Checksum: | e7c9032c77ac8938e06fd163cdc9e3fd |
|
| /// File Name: |
m0rtix.c |
Description:
|
m0rtix.c is a simple C linux backdoor which bind a shell to a port with tty fork. The processes are hidden and it contains a kernel version detector which tell you what local root exploit you must use to root the system.
| | Author: | jeremy still | | File Size: | 12040 | | Last Modified: | Apr 28 20:30:27 2006 |
| MD5 Checksum: | 6503eae7a42fb2d5336a3a0cde0c5bb0 |
|
| /// File Name: |
rathole-1.2.tar.gz |
Description:
|
RatHole is a unix backdoor which compiles cleanly on standard Linux and OpenBSD (probably other BSD flavors also) without additional libraries. It features blowfish encryption, process name hiding and definition of a preferred shell. It spits no error messages (like for sockets already bound) because it is supposed to be stealth. When a client connects to the backdoor a new shell process and two pipe files are created. The I/O of the shell is duped to the pipes and the daemon encrypts the communication.
| | Author: | Incognito/STK | | File Size: | 11419 | | Last Modified: | Nov 30 01:51:07 2007 |
| MD5 Checksum: | c652966a5d9a09c29369794979d4ac6b |
|
| /// File Name: |
psf.c |
Description:
|
Psf (Process Stack Faker) attempts "hide" UN*X processes (those seen by "ps auwx" & "top") without having root. Tested on FreeBSD 4.3, Linux 2.4, NetBSD 1.5, Solaris 2.7.
| | Homepage: | http://sysdlabs.hypermart.net/proj/index.html#psf | | File Size: | 10641 | | Last Modified: | May 20 01:01:11 2002 |
| MD5 Checksum: | 9201bd94e640580b7fab70294ff169b6 |
|
| /// File Name: |
firedoor-0.2.tar.gz |
Description:
|
firedoor forwards any TCP connection behind a firewall using techniques similar to reverse telneting. Written in Java 1.4, so it is very small and can run on both Linux and Win32 without modifications. Source file included.
| | Author: | j0ker | | Homepage: | http://olives.ath.cx/~j0ker/ | | File Size: | 10511 | | Last Modified: | Aug 11 12:18:14 2003 |
| MD5 Checksum: | 984aa4861deeb9af70a9cee118a49278 |
|
| /// File Name: |
silentdoor.tar.gz |
Description:
|
SilentDoor is a connectionless, PCAP-based backdoor for linux that uses packet sniffing to bypass netfilter. It sniffs for UDP packets on port 53, runs each packet against a decryption scheme, if the packet validates than it runs a command. Can be masked to look like any other process. Remote command utility included.
| | Author: | doctor raid | | File Size: | 10310 | | Last Modified: | Mar 17 02:43:57 2005 |
| MD5 Checksum: | 5a8f02eb1e1d7ca1ff8e7a30603286a3 |
|
| /// File Name: |
tumbler.tar.gz |
Description:
|
tumbler is a protocol that enables a client piece of software to securely tell a server process on a remote machine to execute a predetermined command. tumbler is similar to port knocking and is designed so that a remote user can securely and stealthily enable and disable server processes, or open and close firewall holes on a computer connected to the Internet.
| | Author: | John Graham-Cumming | | Homepage: | http://tumbler.sourceforge.net/ | | File Size: | 10240 | | Last Modified: | Apr 18 20:45:00 2004 |
| MD5 Checksum: | b76000ec994e66526b964d7c579646ba |
|
| /// File Name: |
enyelkm.en.v1.0.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | File Size: | 9907 | | Last Modified: | Nov 30 14:14:40 2005 |
| MD5 Checksum: | 5896fe3e8a333c4e1e52daedc3422363 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
