Skip to content

BPFdoor in Telecom Networks Sleeper Cells in the Backbone #2057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

BPFdoor in Telecom Networks Sleeper Cells in the Backbone #2057

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions src/linux-hardening/linux-post-exploitation/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,12 +150,56 @@ Hardening
- Overwrite the in-memory `argv[0]` buffer after reading `/proc/self/cmdline` length and the `argv[0]` pointer, padding with NULs so `/proc/<pid>/cmdline` and `ps` also show the fake label.
- Hunt by comparing `Name:` in `/proc/<pid>/status` against the real executable path and looking for loopback mutex listeners owned by processes with tiny/blank cmdlines.

## Kernel-resident passive backdoors via BPF (BPFDoor-style)

Some Linux backdoors avoid exposing any listening port by attaching a malicious **BPF socket filter** to a raw or packet socket. The implant stays passive, inspects inbound traffic in the kernel path, and only spawns a bind/reverse shell when a controller sends the correct trigger. This means `netstat`, `ss`, and `nmap` can look normal until activation.

Common tradecraft patterns:

- **Split implant/controller model**: the implant only filters traffic and executes the next stage; a separate controller crafts the activation packet and drives the shell.
- **HTTPS-hidden trigger delivery**: newer variants can hide the activation bytes inside normal-looking HTTPS requests so the trigger survives reverse proxies, load balancers, and TLS termination paths.
- **Fixed-offset "magic ruler" checks**: instead of fully parsing HTTP, the controller pads data so a marker such as `9999` lands at a predictable offset. Rapid7 observed `26`-byte rulers with `SOCK_DGRAM` and `40`-byte rulers with `SOCK_RAW`.
- **ICMP relay/control traffic**: compromised hosts can forward commands inside crafted ICMP payloads. A sentinel such as `0xFFFFFFFF` can be used as a "final destination / do not forward" marker.
- **Protocol-aware filtering**: filtering unusual transports such as SCTP moves the implant closer to telecom signaling traffic instead of normal enterprise TCP services.
- **Masquerading**: combine the trapdoor with the `prctl`/`argv[0]` process renaming tricks from the previous section and with daemon-looking PID or lock files.

Practical hunt from a live host:

```bash
# Raw/packet sockets and attached filters
ss -0pb | egrep -i 'packet|raw'
cat /proc/net/packet

# Map suspicious PIDs to their real executable and cmdline
for p in /proc/[0-9]*; do
exe=$(readlink "$p/exe" 2>/dev/null)
cmd=$(tr '\0' ' ' < "$p/cmdline" 2>/dev/null)
[ -n "$exe" ] && printf "%s | %s | %s\n" "${p##*/}" "$exe" "$cmd"
done | egrep -i 'agetty|smartd|init|dockerd|hpas'

# Common environment markers and deleted/fileless execution
grep -aHE 'HOME=/tmp|HISTFILE=/dev/null' /proc/[0-9]*/environ 2>/dev/null
find /proc/[0-9]*/exe -lname '*deleted*' -ls 2>/dev/null

# Mutex / pid artifacts often used to prevent double execution
find /var/run /run -maxdepth 1 -type f \( -name '*.pid' -o -name '*.lock' \) \
-size 0c -printf '%m %p\n' 2>/dev/null

# Persistence paths worth checking after finding a suspicious PID
grep -RInE 'iptables|bpfd|dockerd|hpas|/dev/shm|/var/tmp|/tmp/' \
/etc/systemd /etc/init.d /etc/rc*.d /etc/cron* 2>/dev/null
```

If the host supports `bpftool`, also baseline legitimate BPF usage. Unexpected packet filters, raw sockets, or process names that do not match the backing executable are strong post-exploitation signals even when no listening port is visible.

## References

- [0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
- [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
- [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
- [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
- [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)
- [Rapid7 Labs - BPFdoor in Telecom Networks: Sleeper Cells in the Backbone](https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/)
- [Rapid7 Labs - Linux BPFDoor Detection Script](https://github.com/rapid7/Rapid7-Labs/tree/main/BPFDoor)

{{#include ../../banners/hacktricks-training.md}}