Proof of Concept: Faking Out Tripwire
In the following output, I run the rootkit developed in this chapter against Tripwire, which is arguably the most common and well-known HIDS.
First, I execute the command tripwire --check
to validate the integrity of the filesystem. Next, the rootkit is installed to trojan the binary hello
(which is located within /sbin/). Finally, I execute tripwire --check
again to audit the filesystem and see if the rootkit is detected.
Note
Because the average Tripwire report is rather detailed and lengthy, I have omitted any extraneous or redundant information from the following output to save space.
$ sudo tripwire --check
Parsing policy file: /usr/local/etc/tripwire/tw.pol *** Processing Unix File System *** Performing ...
Get Designing BSD Rootkits now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.