admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Changed the repository (and the rootkit!) name with TripleCross: https://dictionary.cambridge.org/dictionary/english/double-cross. This is 'triple' because it is a BPF program that betrays you at the userspace, at the kernel, and at the network.

Browse Source
This commit is contained in:
h3xduck
2022-06-15 20:33:07 -04:00
parent 75e92445e5
commit 80f334636a
4 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -1,4 +1,4 @@
# TFG
# TripleCross
## Build and run
```bash
cd src

6
docs/chapters/chapter4.tex
View File

@@ -1067,9 +1067,11 @@ The rootkit client is compiled to a single executable named \textit{injector}. T
\label{fig:client_help}
\end{figure}
As we can observe in the figure, the rootkit client enables to execute the C2 actions we have described in section \ref{subsection:c2}. Upon running any of these options, the client will first request the network interface to use. This enables the attacker to choose the specific network to which it can connect to the infected machine. After choosing an interface, the rootkit client crafts the respective backdoor trigger and sends it to the infected machine (we have also included an additional non-C2 PoC showing how the rootkit modifies incoming packets). Every option requires to specify the infected machine location by indicating its IP address.
As we can observe in the figure, the rootkit client enables to execute the C2 actions we have described in section \ref{subsection:c2}. Upon running any of these options, the client will first request the network interface to use. This enables the attacker to choose the specific network to which it can connect to the infected machine.
After sending a backdoor trigger, the client will enter a listening state, waiting for the backdoor response. Once a response is received confirmating that the remote machine is up and with the rootkit running, the client proceeds to show the user a shell prompt where it can enter commands.
After choosing an interface, the rootkit client crafts the respective backdoor trigger and sends it to the infected machine (we have also included an additional non-C2 PoC showing how the rootkit modifies incoming packets). Every option requires to specify the infected machine location by indicating its IP address.
After sending a backdoor trigger, the client will enter a listening state, waiting for the backdoor response. Once a response is received confirmating that the remote machine is up and the rootkit is installed, the client proceeds to show the user a shell prompt where it can enter commands. This shell prompt
The rootkit client needs to be executed as root, since the library RawTCP\_Lib it uses requires privileges for some of its functionalities.

2
src/client/client.c
View File

@@ -29,7 +29,7 @@
void print_welcome_message(){
printf("*******************************************************\n");
printf("************************* TFG *************************\n");
printf("********************* TripleCross *********************\n");
printf("*******************************************************\n");
printf("************ https://github.com/h3xduck/TFG ***********\n");
printf("*******************************************************\n");

2
src/helpers/packager.sh
View File

@@ -39,7 +39,7 @@ quiet(){
#Start of script
echo "*******************************************************\n"
echo "************************* TFG *************************\n"
echo "********************* TripleCross *********************\n"
echo "*******************************************************\n"
echo "***************** Marcos Sánchez Bajo *****************\n"
echo "*******************************************************\n"