Iptable_Evil – An Evil Bit Backdoor For Iptables

When connecting to the backdoored VM from a VM that does not set the evil bit, the SSH connection will eventually time out.

  iptable evil 3 ssh timed out 741010 iptable evil 4 reserved unset 741624

Packet captures of backdoor and non-backdoor SSH connections are in the docs/ folder in this repo for your perusal.

Kernel Version

  • 5.8.0-48-generic (Ubuntu 20.04)

Further Information and Resources

  • RFC 3514 inventing the evil bit: https://tools.ietf.org/html/rfc3514
  • Ben Cox’s introduction to the evil bit: https://blog.benjojo.co.uk/post/evil-bit-RFC3514-real-world-usage
  • Ben Cox’s iptables_uwu (mostly just for giving the names of things to research): https://github.com/benjojo/iptables-uwu
  • A somewhat outdated but very detailed explanation of how iptables works and how to add targets and modules to it: https://inai.de/documents/Netfilter_Modules.pdf
  • https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
  • Bootlin’s Elixir search is significantly easier to use to find identifiers in the kernel than grep: https://elixir.bootlin.com/linux/v5.8/source/net/ipv4/netfilter/ip_tables.c#L225
  • Ubuntu’s docs explain how to build the kernel: https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel
Download Iptable_Evil

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source