TripleCross – A Linux eBPF Rootkit With A Backdoor, C2, Library Injection, Execution Hijacking, Persistence And Stealth Capabilities.

TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology. TripleCross is inspired by previous implant designs in this area, notably the works of Jeff Dileo at DEFCON 271, Pat Hogan at DEFCON 292, Guillaume Fournier and Sylvain Afchain also at DEFCON 293, and Kris Nóva’s Boopkit4. We reuse andRead More

Kali Linux 2022.3 – Penetration Testing and Ethical Hacking Linux Distribution

Time for another Kali Linux release! – Kali Linux 2022.3. This release has various impressive updates. The highlights for Kali’s 2022.3’s release: Discord Server – Kali’s new community real-time chat option has launched! Test Lab Environment – Quickly create a test bed to learn, practice, and benchmark tools and compare their results Opening Kali-Tools RepoRead More

Laurel – Transform Linux Audit Logs For SIEM Usage

LAUREL is an event post-processing plugin for auditd(8) to improve its usability in modern security monitoring setups. Why? TLDR: Instead of audit events that look like this… type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0=”perl” a1=”-e” a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742… …turn them into JSON logs where the mess that your pen testers/red teamers/attackers are trying to make becomes apparent at first glance:Read More

Bpflock – eBPF Driven Security For Locking And Auditing Linux Machines

bpflock – eBPF driven security for locking and auditing Linux machines. Note: bpflock is currently in experimental stage, it may break, options and security semantics may change, some BPF programs will be updated to use Cilium ebpf library. 1. Introduction bpflock uses eBPF to strength Linux security. By restricting access to a various range ofRead More

Tofu – Windows Offline Filesystem Hacking Tool For Linux

A modular tool for hacking offline Windows filesystems and bypassing login screens. Can do hashdumps, OSK-Backdoors, user enumeration and more. How it works : When a Windows machine is shut down, unless it has Bitlocker or another encryption service enabled, it’s storage device contains everything stored on the device as if it was unlocked. ThisRead More

Pamspy – Credentials Dumper For Linux Using eBPF

pamspy leverage eBPF technologies to achieve an equivalent work of 3snake. It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication like: sudo sshd passwd gnome x11 and many other … How to launch? pamspy is built as a static binary without anyRead More

Dlinject – Inject A Shared Library (I.E. Arbitrary Code) Into A Live Linux Process, Without Ptrace

Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace. Inspired by Cexigua and linux-inject, among other things. Usage .___.__ .__ __ __ __| _/| | |__| ____ |__| ____ _____/ |_ ______ ___.__. / __ | | | | |/ | |/ __ _/ ___ __ ____ < | |/Read More

Lockc – Making Containers More Secure With eBPF And Linux Security Modules (LSM)

lockc is open source sofware for providing MAC (Mandatory Access Control) type of security audit for container workloads. The main reason why lockc exists is that containers do not contain. Containers are not as secure and isolated as VMs. By default, they expose a lot of information about host OS and provide ways to “breakRead More

LEAF – Linux Evidence Acquisition Framework

Linux Evidence Acquisition Framework (LEAF) acquires artifacts and evidence from Linux EXT4 systems, accepting user input to customize the functionality of the tool for easier scalability. Offering several modules and parameters as input, LEAF is able to use smart analysis to extract Linux artifacts and output to an ISO image file. Usage [-h] [-iRead More