dodox/piggyback
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

README — remove horizontal rules

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dominik Moritz Roth 2026-05-27 16:07:15 +02:00
parent a3d6048ded
commit 021e77d418
1 changed files with 0 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -4,7 +4,6 @@ Covert channel using Linux TC eBPF. Intercepts TCP packets on a port already in
steals matching ones before the application sees them, forwards or executes per the steals matching ones before the application sees them, forwards or executes per the
client's instruction. Normal traffic is unaffected. Zero changes to existing services. client's instruction. Normal traffic is unaffected. Zero changes to existing services.
---
## Intended Use ## Intended Use
@ -15,7 +14,6 @@ The core use case this demonstrates: persistence on a firewalled host by piggyba
on any already-permitted port (e.g. 80/443). Traffic is stolen at TC ingress before on any already-permitted port (e.g. 80/443). Traffic is stolen at TC ingress before
the application sees it and never appears in its logs. the application sees it and never appears in its logs.
---
``` ```
Mode 1 — Plain TCP Mode 1 — Plain TCP
@ -36,7 +34,6 @@ Mode 2 is identical server-side. Client sends a real TLS handshake toward
middleware (nginx, Caddy, HAProxy) with the correct SNI so routing works. middleware (nginx, Caddy, HAProxy) with the correct SNI so routing works.
Middleware decrypts and forwards inner bytes to the plain TCP backend. Middleware decrypts and forwards inner bytes to the plain TCP backend.
---
## Requirements ## Requirements
@ -51,7 +48,6 @@ sudo dnf install libbpf-devel clang llvm kernel-headers bpftool libsodium-devel
sudo apt install libbpf-dev clang llvm linux-headers-$(uname -r) bpftool libsodium-dev libssl-dev sudo apt install libbpf-dev clang llvm linux-headers-$(uname -r) bpftool libsodium-dev libssl-dev
``` ```
---
## Configuration ## Configuration
@ -75,7 +71,6 @@ Forward target, action, and target port are **not configured in the daemon** —
they come from the client packet. The daemon has no idea where to forward until they come from the client packet. The daemon has no idea where to forward until
a client tells it. a client tells it.
---
## Build ## Build
@ -90,7 +85,6 @@ make keygen
# Saves engagement.key → pass to pb-client with --key (never copy to target) # Saves engagement.key → pass to pb-client with --key (never copy to target)
``` ```
---
## Usage ## Usage
@ -130,7 +124,6 @@ Full client options:
-v verbose -v verbose
``` ```
---
## Auth flow (AUTH_ENABLED=1) ## Auth flow (AUTH_ENABLED=1)
@ -155,7 +148,6 @@ Signed header format (80 bytes after MAGIC):
Without `--key`: header still sent but timestamp=0 and sig=zeros. Daemon in Without `--key`: header still sent but timestamp=0 and sig=zeros. Daemon in
no-auth mode reads action+target and skips signature verification. no-auth mode reads action+target and skips signature verification.
---
## Detection (Blue Team) ## Detection (Blue Team)
@ -168,7 +160,6 @@ bpftool map list # eBPF maps (conn_state, pending, daemon_sock
Baseline `bpftool prog list` on clean systems. Alert on new TC ingress programs Baseline `bpftool prog list` on clean systems. Alert on new TC ingress programs
on internet-facing interfaces. on internet-facing interfaces.
---
## Known Limitations ## Known Limitations