What shkval Does
shkval is an example of a remote wiping software that can be used on any Linux system utilizing nftables. nft rules are implemented on the server so that packet data, including TCP options, are stored in entries logged to dmesg. This means we do not need to bind to a socket to send commands to the server. We will use entries from dmsg instead.
dmesg is queried, and line-by-line the received packets are verified against hardcoded values stored in “server.py”.
The first value is the “command_password” which is 20 characters in length. This password is verified against the received packet data (TCP options) in dmesg.
The second value is the “command_port”. This value is checked against the “source_port” from the received packet.
Both of these values are used to determine if the “shred” utility should be run. If they match, the shred utility will carry out a file wiping operation for the file stored in the “server.py” script.
In this example, scapy is used on the client (client.py) to construct and send a packet of data to the server. This packet is built with the specific data, mentioned prior, that is used to determine whether or not to initiate a shred operation.
from scapy import all as scapy
command_password = "dlSmtkQaGTfATveHtjwb" # MUST BE 20 CHARACTERS
command_port = 666
assert len(command_password) == 20
scapy.sr(scapy.IP(dst="10.0.2.23") / scapy.TCP(sport=command_port, dport=666, seq=1, ack=0, flags="S",
urgptr=0, options=[(19, command_password)]))server.py Hardcoded Parameters
file_to_delete_full_path = "/tmp/secrets.db"
command_password = "dlSmtkQaGTfATveHtjwb"
command_port = "666"
The variables store the full path to the file to delete (file_to_delete_full_path). The “command_password” which the parsed packet data will be compared to. The “command_port” is also provided and will be compared to the packet data in the dmesg packet entry.
Extracting Packet Data
while True:
dmesg_log = subprocess.Popen(['dmesg'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
for line in dmesg_log.stdout.readlines():
line = line.decode()
source_port = re.findall("SPT=.*? ", line)
if source_port:
parsed_source_port = str(source_port[0]).strip().split("=")[1]
options_password = re.findall("OPT .*?\)", line)
if options_password:
parsed_options_password = str(options_password[0]).strip().split(" ")[1].strip(")(")[4:-4]
parsed_command_password = binascii.hexlify(command_password.encode()).upper().decode()The source port and password (stored in TCP options) are extracted from the packet entry in dmesg for later comparison to the hardcoded values in the server.py script.
Verifying Ports and Passwords
if source_port and options_password:
try:
if parsed_options_password == parsed_command_password and parsed_source_port == command_port:
shred_response = subprocess.Popen(["shred", "-f", "-n 1", "-u", file_to_delete_full_path],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if shred_response.stdout.readline().decode() in "failed to open":
sys.exit(0)
except Exception as e:
print(e)The server.py script verifies that the parsed_options_password is equal to the parsed_command_password (stored in the script). It then checks whether the packet parsed_source_port is equal to the command_port (stored in the script).
If these values are both equal, then the shred utility is run with parameters indicating which file to delete (file_to_delete_full_path). When the script has completed and the file can no longer be found (failed to open), the script exits successfully.
Firewall (nftables) Rules
$ sudo nft add table ip shkval
$ sudo nft add chain ip shkval input { type filter hook input priority 0\; }
$ sudo nft add rule shkval input log level debug log flags allThese nft rules will output log entries to dmesg. These entries will contain the extra TCP options fields, which we are using as a “password”. This password is checked against the password stored in the server.py script which, when equal, will initiate the shred utility.
Download from GitHub: shkval remote file wiping software
git clone https://github.com/ultros/shkval