 |
EpiRootkit
By STDBOOL
|
|
EpiRootkit
By STDBOOL
|
Here's a quick guide to install QEMU/KVM on Ubuntu 24.10 and enable virtualization. First, enable virtualization in your BIOS. Then update the package list.
Then install QEMU, KVM, and Libvirt (optional: virt-manager for a GUI) as shown below.
Add your user to the groups, then log out/log in for the change to take effect. Then enable and start the libvirt service.
Start by cloning the project's Git repository, available at the following address: epita-apprentissage-wlkom-apping-2027-STDBOOL.git. Once the repository is cloned, you'll find the following structure at the root:
| Element | Description |
|---|---|
| AUTHORS | List of project authors |
| README | Basic project explanation file |
| TODO | Project TODO file, contains all completed or planned tasks |
| boot | Folder containing virtual machine setup scripts |
| attacker | Folder containing all web service used by the attacker |
| rootkit | Folder containing all rootkit code |
| docs | Folder containing this documentation in markdown and HTML format |
| Makefile | Lab installation and usage Makefile |
All operations are centralized in the Makefile. Here are the main available commands (to use with make):
| Command | Description |
|---|---|
| prepare | Creates all necessary network interfaces and iptables rules |
| start | Starts the two project virtual machines (attacker and victim) |
| update_attacker | Uploads the attacker folder to the attack machine |
| launch_attacker | Starts the attack web service from the attack machine |
| update_victim | Uploads the rootkit folder to the victim machine |
| launch_victim | Compiles the rootkit code on the victim machine and inserts the rootkit with insmod |
| launch_debug_victim | Same operation as previous, but rootkit is compiled with the DEBUG flag |
| stop_epirootkit | Attempts to 'rmmod' the rootkit (only if rootkit compiled with DEBUG flag) |
| doc | Generates HTML documentation in the docs/html folder |
| clean | Cleans all network configurations made by prepare |
Important: You must prepare two QEMU virtual machines in advance. The project has been tested with Ubuntu 24.10.
Minimum VM specifications:
Required VM files: You need to create two QEMU disk images and place them in the boot/vms/ directory:
attacker_disk.qcow2 - Attacker VM diskvictim_disk.qcow2 - Victim VM diskNetwork configuration inside VMs: Both VMs must be configured with static IP addresses:
To configure static IPs on Ubuntu 24.10, edit /etc/netplan/01-netcfg.yaml:
Attacker VM (/etc/netplan/01-netcfg.yaml):
Victim VM (/etc/netplan/01-netcfg.yaml):
Apply the configuration with:
Once your VMs are ready and placed in boot/vms/, set up the network configuration by running:
Since this script modifies your network configuration, it will ask for your root password. The script will:
boot/vms/Once this is done, you can perform the first machine boot by running:
Starting both virtual machines may take some time, but you don't have to do anything other than wait and whistle the Star Wars theme to the tune of Jurassic Park.
Once the machines are started, you can send the attack web server code to the attacking machine with the command below.
Then send the rootkit code to the victim machine.
You can finally, in a first terminal, start the attack web server.
It will then be accessible at http://192.168.100.2:5000, both from the attack machine and from the host. To access it, simply open a browser like firefox (present by default on the attack VM) and enter the mentioned address in the search bar.
Note: As mentioned in the Reverse Shell section, it is necessary to access the web service directly from the attack machine if you want to benefit from the reverse shell.
For the victim machine, you can use a second terminal to compile and insert the rootkit. Two modes are available:
rmmod). This mode is launched with:Note: If the rootkit is launched in DEBUG mode, you can then deactivate it by running
make stop_epirootkit, which will remove it from the victim machine withrmmod.
Here is all the information related to both virtual machines, including their login credentials.
| Victim | Attacker | |
|---|---|---|
| Username | victim | attacker |
| Password | victim | attacker |
| IP Address | 192.168.100.3 | 192.168.100.2 |
| MAC Address | 52:54:00:DD:EE:FF | 52:54:00:AA:BB:CC |
| TAP | tap1 | tap0 |
Thus, SSH connection to the victim machine is for example possible by running in a terminal the command below.
SSH access can be useful to run [Makefile]{#Makefile} commands directly from the concerned machines. Here are the equivalents below.
| Action | Command |
|---|---|
| Start web server | sudo python3 ~/attacker/main.py |
| Action | Command |
|---|---|
| Compile rootkit (DEBUG mode) | sudo make -f ~/rootkit/Makefile debug |
| Insert rootkit | sudo insmod ~/rootkit/epirootkit.ko |
| Remove module from kernel | sudo rmmod epirootkit |
To clean the environment after use, please make clean. This script will offer to delete the boot/vms/ folder and will also remove TAP interfaces and the network bridge.