README — remove horizontal rules
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
a3d6048ded
commit
021e77d418
@ -4,7 +4,6 @@ Covert channel using Linux TC eBPF. Intercepts TCP packets on a port already in
|
||||
steals matching ones before the application sees them, forwards or executes per the
|
||||
client's instruction. Normal traffic is unaffected. Zero changes to existing services.
|
||||
|
||||
---
|
||||
|
||||
## Intended Use
|
||||
|
||||
@ -15,7 +14,6 @@ The core use case this demonstrates: persistence on a firewalled host by piggyba
|
||||
on any already-permitted port (e.g. 80/443). Traffic is stolen at TC ingress before
|
||||
the application sees it and never appears in its logs.
|
||||
|
||||
---
|
||||
|
||||
```
|
||||
Mode 1 — Plain TCP
|
||||
@ -36,7 +34,6 @@ Mode 2 is identical server-side. Client sends a real TLS handshake toward
|
||||
middleware (nginx, Caddy, HAProxy) with the correct SNI so routing works.
|
||||
Middleware decrypts and forwards inner bytes to the plain TCP backend.
|
||||
|
||||
---
|
||||
|
||||
## Requirements
|
||||
|
||||
@ -51,7 +48,6 @@ sudo dnf install libbpf-devel clang llvm kernel-headers bpftool libsodium-devel
|
||||
sudo apt install libbpf-dev clang llvm linux-headers-$(uname -r) bpftool libsodium-dev libssl-dev
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Configuration
|
||||
|
||||
@ -75,7 +71,6 @@ Forward target, action, and target port are **not configured in the daemon** —
|
||||
they come from the client packet. The daemon has no idea where to forward until
|
||||
a client tells it.
|
||||
|
||||
---
|
||||
|
||||
## Build
|
||||
|
||||
@ -90,7 +85,6 @@ make keygen
|
||||
# Saves engagement.key → pass to pb-client with --key (never copy to target)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Usage
|
||||
|
||||
@ -130,7 +124,6 @@ Full client options:
|
||||
-v verbose
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Auth flow (AUTH_ENABLED=1)
|
||||
|
||||
@ -155,7 +148,6 @@ Signed header format (80 bytes after MAGIC):
|
||||
Without `--key`: header still sent but timestamp=0 and sig=zeros. Daemon in
|
||||
no-auth mode reads action+target and skips signature verification.
|
||||
|
||||
---
|
||||
|
||||
## Detection (Blue Team)
|
||||
|
||||
@ -168,7 +160,6 @@ bpftool map list # eBPF maps (conn_state, pending, daemon_sock
|
||||
Baseline `bpftool prog list` on clean systems. Alert on new TC ingress programs
|
||||
on internet-facing interfaces.
|
||||
|
||||
---
|
||||
|
||||
## Known Limitations
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user