+ Python 2.7.x
git clone https://github.com/guelfoweb/peframe && cd peframe pip install simplejson python setup.py install peframe example.exe
AntiFor is An anti-forensic multitool written in bash
– mat (Metadata Anonymization Toolkit)
apt install libimage-exiftool-perl bleachbit mat git clone https://github.com/irrecoverable/AntiFor && cd AntiFor chmod +x *.sh sudo ./anti.sh
* Process hiding
* User hiding
* Network hiding
* LXC container
* Persistent (re)installation & Anti-Detection
* Dynamic linker modifications
*** accept() backdoor (derived from Jynx2)
*** PAM backdoor
**** PAM auth logger
* vlany-exclusive commands
Latest Change 7/11/2016:
* Update patch_ld.py
* Update config.py
Use and download:
wget https://github.com/mempodippy/vlany/archive/master.tar.gz && tar -xf master.tar.gz ./install.sh
* modern linux os with udev and probably systemd
Usage and download from git:
git clone https://github.com/trpt/usbdeath && cd usbdeath or wget https://github.com/trpt/usbdeath/blob/master/usbdeath chmod a+x usbdeath ./usbdeath
+ run independently of the host environment (no dependence on existing executable utilities, e.g. python, ruby, find)
+ run with minimal liklihood of detection (no execution of potentially detectable commands, e.g. netstat, lsof, who)
+ run fast (parallelized native code)
+ grab a snapshot of host activity like processes, net connections, arp cache, logged in users, more
+ … do the above over a period of time to get a sense of how the machine is used and by whom
+ detect security controls: A/V & auditd rules
+ grab ssh keys
+ serialize discovery data as JSON for easy consumption later
+ modify user’s ssh config to force user to enable connection sharing (ControlMaster) when ssh’ing to remote hosts
– add user to the system
– add ssh pubkey to the root user
– execute userspace commands
+ encrypted payload functions
— when the backdoor is at rest (not performing an operation), the interesting pieces of payload are encrypted in memory. This is accomplished by receiving a command -> decryption -> execution -> re-encryption. The control channel supports OTP– each command sent to the backdoor has the option of providing a new key. The need to re-encrypt with a new key goes away when diffie-hellmann is implemented for key exchange.
— this feature isn’t useful for an opensource backdoor….um ok. did I mention extensibility?
+ userspace command execution isn’t picked up by auditd or traditional kprobing
I’m debating whether to write a LiME memory dump modifier to tamper with accurate memory dumps. Maybe too devious.
+ you’ll have a tainted kernel if you “allow signed modules, but don’t require them”
+ all legitimate kernel modules will need to be signed for an unsigned module to be noticed
— you still need to safely get the fact that the kernel is tainted off the system somehow
— the kernel can be tainted for reasons other than unsigned driver loading, so pay attention to the taint code
+ volatility can show you there’s a netfilter hook in place. you probably aren’t expecting any, so this is usually high signal.
— you can then reverse this piece of the module, but shouldn’t be able to analyze the payload without the key
— unless something like diffie-hellmann is used for key exchange, you can capture the key over the network to decrypt payload
+ so it still means you need memory dump & pcap to analyze the payloa
+ piggy back on forwarded ssh credentials (ssh-agent reuse)
+ piggy back on existing ssh connections that have connection sharing enabled (ssh connection reuse)
use and download:
git clone https://github.com/unixist/postex && cd postex cd discovery go build cd cmd go run snappy.go --av | jq '. | select(.Name == "Antivirus")|.Values.Name' "OSSEC" "Sophos" "Tripwire" "Samhain" for Backdoor cd persistence make Add a public key to the root user's /root/.ssh/authorized_keys file. $ echo 'key:0124812401:1111111111:2' | nc -u $host 8001 and run all ko module
« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
There are 3 reasons (maybe more?) to use this tool:
– In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library as happened to Ross). The police commonly uses a « mouse jiggler » to keep the screensaver and sleep mode from activating.
– You don’t want someone to install backdoors or malware on your computer or to retrieve documents from your computer via USB.
– You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).
[!] Important: Make sure to use full disk encryption! Otherwise they will get in anyway.
Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.
Additional requirement for OS X users
In order to make usbkill work on OS X, you have to install python3 by using brew:
Download : Master.zip | Clone Url
Source : https://github.com/hephaest0s