In the last post I explained how to hide Linux processes with an LKM rootkit. As you might know, Linux kernel modules are not persistent; that means that you have to insert your module each time your system goes through a reboot.

“But how the heck do I have modules loaded at startup ? Is lsmod bullshitting me ?” you might be asking.

The short answer: “initramfs”

The long answer is, well, longer and needs some explanations first.

I’ve recently been interested in Linux rootkits, and it turns out that behind that sexy name lay simple C programs. Being curious, I started looking for publicly available rootkits and tried to compile them to see how they work: Too bad ! Most of the rootkits I came across were written for Linux versions 2.x and 3.x, and I am running version 4.8 … That meant that the code and data structures changed heavily since then, and there was little to no documentation on the subject !! So I digged through the sources of the Linux kernel and tried to figure out how things worked.

Working with multiple network equipments is a task that every network administrator have faced, and if you are one yourself, you are probably convinced by now that using multiple or a single password isn’t the brightest idea.

Tacacs+ is a proprietary protocol developed by Cisco to ensure the AAA functions: Authentication, Authorization and Accounting. I won’t go through the details of the protocol as it’s not the purpose of this guide, but if you want to know more about it, you can find interesting links at the end of this article.