Boopkit Versions Save

Memory improvements (fixed segmentation fault) thanks bl4sty for the help.

• Improved interface packet parsing (raised ring buffer size)
• Fixed clearing eBPF objects from queue
• Debugging symbols in boopkit for gdb
• Added -p flag for protect mode (will NOT execute RCE) useful for debugging

More improvements to code (docs, stability, etc)

• Client now supports -x for SYN only mode (which is what I will use in my demo)

Boopkit is flipping the logic around. I am trying to move the toolchain to be a little more useful to the end user. By default it will no longer do a reverse dial for an RCE string. It will search for it in the packet buffer, or it will do nothing. However there is a new flag (-r) that can be passed to both the client and the server that will support a reverse dial. A reverse dial is substantially more stable, however has a lot of implications.

Better packet filtering for -p. Boopkit is now running stable with full RCE using only -p for both the client and the server. Also made improvements to the deep packet inspection mechanism which will increase stability of the rootkit.

Adding a very important "halt" command.

-9, halt/kill      Halt or kill the boopkit malware on a server.

Running remotely:

[nova@emily]: ~/boopkit>$ sudo -E boopkit-boop -9

================================================================

    ██████╗  ██████╗  ██████╗ ██████╗ ██╗  ██╗██╗████████╗
    ██╔══██╗██╔═══██╗██╔═══██╗██╔══██╗██║ ██╔╝██║╚══██╔══╝
    ██████╔╝██║   ██║██║   ██║██████╔╝█████╔╝ ██║   ██║   
    ██╔══██╗██║   ██║██║   ██║██╔═══╝ ██╔═██╗ ██║   ██║   
    ██████╔╝╚██████╔╝╚██████╔╝██║     ██║  ██╗██║   ██║   
    ╚═════╝  ╚═════╝  ╚═════╝ ╚═╝     ╚═╝  ╚═╝╚═╝   ╚═╝   
    Author: Kris Nóva <[email protected]> Version 1.2.0
    
    IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
    EXEMPLARY, OR CONSEQUENTIAL DAMAGES.    

    DO NOT ATTEMPT TO USE THE TOOLS TO VIOLATE THE LAW.
    THE AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTION.
    MISUSE OF THE SOFTWARE, INFORMATION, OR SOURCE CODE
    MAY RESULT IN CRIMINAL CHARGES.
    
    Use at your own risk.

================================================================
  -> *[RCE]     : X*x.HALT.x**X
  -> *[Local]   : 127.0.0.1:3535
  -> *[Remote]  : 127.0.0.1:22
  -> *[Payload] : (RCE, *bad csum) SYN only!
================================================================
  -> [090 bytes]   TX SYN     : 127.0.0.1:22 (RCE, *bad csum)
================================================================

A slightly less hacky version of the program. This now supports a "single SYN" mode! There is also a really terrible multithreaded ring buffer for pcap packet captures that probably should never be ran by anyone.

Major features

• -p for "payload-only" mode. This means that boopkit will NOT reverse dial for an RCE payload. It only searches using DPI.
• -c for boopkit-boop commands (moving from -x)
• Dependency on lipcap until we have time for a proper XDP integration. We have an interface for now.
• xCap ring buffer

Mostly a cosmetic and userspace runtime improvement release.

• Now supports home directoy probe loading
• make install now will install to home directory
• Log leaking has been addressed
• Fixed bug with hanging on bad reverse socket calls
• Fixed boop probe memory leak with tplist to generate structs
• Boopscript supports runtime overloading of variables for metasploit

This tag is the first release of boopkit!

• eBPF Probe (Self PID Obfuscation)
• eBPF Probe (TCP Bad checksum)
• eBPF Probe (TCP packet RST)
• Trigger program is compatible with metasploit
• Boopkit has ignore -x feature for noisy localhost
• Boopkit now calling socket directly, preliminary reverse TCP injection

Tested on 5.16 and 5.17 kernels running Archlinux.