From 021e77d4186c87100bbab2ad1c1a7f85cde1ebf7 Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Wed, 27 May 2026 16:07:15 +0200 Subject: [PATCH] =?UTF-8?q?README=20=E2=80=94=20remove=20horizontal=20rule?= =?UTF-8?q?s?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- README.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/README.md b/README.md index fc4972c..8bb784c 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,6 @@ Covert channel using Linux TC eBPF. Intercepts TCP packets on a port already in steals matching ones before the application sees them, forwards or executes per the client's instruction. Normal traffic is unaffected. Zero changes to existing services. ---- ## Intended Use @@ -15,7 +14,6 @@ The core use case this demonstrates: persistence on a firewalled host by piggyba on any already-permitted port (e.g. 80/443). Traffic is stolen at TC ingress before the application sees it and never appears in its logs. ---- ``` Mode 1 — Plain TCP @@ -36,7 +34,6 @@ Mode 2 is identical server-side. Client sends a real TLS handshake toward middleware (nginx, Caddy, HAProxy) with the correct SNI so routing works. Middleware decrypts and forwards inner bytes to the plain TCP backend. ---- ## Requirements @@ -51,7 +48,6 @@ sudo dnf install libbpf-devel clang llvm kernel-headers bpftool libsodium-devel sudo apt install libbpf-dev clang llvm linux-headers-$(uname -r) bpftool libsodium-dev libssl-dev ``` ---- ## Configuration @@ -75,7 +71,6 @@ Forward target, action, and target port are **not configured in the daemon** — they come from the client packet. The daemon has no idea where to forward until a client tells it. ---- ## Build @@ -90,7 +85,6 @@ make keygen # Saves engagement.key → pass to pb-client with --key (never copy to target) ``` ---- ## Usage @@ -130,7 +124,6 @@ Full client options: -v verbose ``` ---- ## Auth flow (AUTH_ENABLED=1) @@ -155,7 +148,6 @@ Signed header format (80 bytes after MAGIC): Without `--key`: header still sent but timestamp=0 and sig=zeros. Daemon in no-auth mode reads action+target and skips signature verification. ---- ## Detection (Blue Team) @@ -168,7 +160,6 @@ bpftool map list # eBPF maps (conn_state, pending, daemon_sock Baseline `bpftool prog list` on clean systems. Alert on new TC ingress programs on internet-facing interfaces. ---- ## Known Limitations