> For the complete documentation index, see [llms.txt](https://antonio-cooler.gitbook.io/coolervoid-tavern/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://antonio-cooler.gitbook.io/coolervoid-tavern/hidden-firewall-in-kernel.md). # Hidden firewall in Kernel ![Art: Alex Horley-Orlandelli](/files/lpu034AF1ueZNGsbHO3r) ### The etymology **The**[ **HiddenWall is a Linux kernel module generator**](https://github.com/CoolerVoid/HiddenWall) for custom rules with Netfilter. (block ports, Hidden mode, firewall functions and soon). So in a bad situation, an attacker can put your iptables/ufw to fall. But if we have HiddenWall, the attacker will not find the hidden kernel module that blocks external access because it has a hook to Netfilter on kernel land(think like a second layer for Firewal. ### The Motivation My beginning purpose in this project is to protect my server, and now it is to protect my friends' machines. When I talk to friends, I say peoples that don't know how to write low-level code. Using HiddenWall, we can generate a custom kernel module for our firewall configuration. The low-level programmer can write new templates for modules soon. A hidden firewall in the form of a loadable kernel module (LKM) can offer several advantages over other types of firewalls. 1. Customization: Because an LKM is a separate piece of code that can be loaded and unloaded from the kernel at runtime, it can be customized and tailored to specific needs. This can be particularly useful for organizations with specific firewall policy requirements, as an LKM can be developed to meet those needs. 2. Modularity: An LKM is a self-contained unit of code that can be loaded and unloaded from the kernel as needed. This makes it easy to add or remove firewall functionality without affecting the rest of the system. 3. Performance: An LKM firewall can offer improved performance over other types of firewalls, as it can make filtering decisions directly within the kernel and has direct access to the network stack. ### The features * Tool to interpret YAML file and generate a C language file "Linux kernel module". * YAML context is a white screen to create your custom firewall in kernel land. Yes is not hard when you use HiddenWall. * The resource to generate the hidden kernel module, yes, is invisible not even the root user can see it. * The resource to turn the Linux kernel module visible, passing a key to enable the context. * **Persistence** [recipe with scripts](https://github.com/CoolerVoid/HiddenWall/blob/master/module_generator/scripts/README.md) to always up HiddenWall when you boot the system. * The resource to[ hide the LKM password](https://github.com/CoolerVoid/HiddenWall/blob/master/module_generator/scripts/README.md#hide-action-of-send-keys-of-password). * Communication by device char (**different from other Rootkits** that use signal and ioctl) * Static **random junk code injection in the generated LKM** turns each binary signature unique during the compilation. ### Proof of concept {% embed url="" %} Example to generate a custom firewall {% endembed %} ### The first step, understand before the run Verify if the kernel version is 3.x, 4.x, or 5.x: ``` $ uname -r ``` Clone the repository ``` $ git clone https://github.com/CoolerVoid/HiddenWall ``` Enter the folder ``` $ cd HiddenWall/module_generator ``` Edit your firewall rules in the directory rules/server.YAML, the python script, use that file to generate a new firewall module. ``` $ cat rules/server.yaml module_name: SandWall public_ports: 80,443,53 unhide_key: AbraKadabra hide_key: Shazam fake_device_name: usb14 liberate_in_2_out: True whitelist: - machine: ip: 192.168.100.181 open_ports: 22,21 - machine: ip: 192.168.100.22 open_ports: 22 ``` If you want to study the static code to generate, look at the content at directory "templates". ### In the second step, generate your module If you want to generate a kernel module following your YAML file of rules, follow that command: ``` $ python3 WallGen.py --template template/hiddenwall.c -r rules/server.yaml ``` This action can generate a generic module with the rules of the server.YAML, if you want to use another template, you can use "wall.c", so the template module "hidden wall" has the option to run on hidden mode(is not visible to "# lsmod" for example). ### In the third step, install your module. If you use Fedora Linux, install kernel packages for the developer: ``` # dnf update # dnf install kernel-headers.x86_64 kernel-modules.x86_64 kernel.x86_64 kernel-devel kmod ``` On Ubuntu Linux: ``` $ sudo apt install linux-headers-generic gcc make ``` To test the module by root: ``` # cd output; make clean; make # insmod SandWall.ko ``` * YAML's rule to generate a module is simple, drop all out to in packets, accept ports 80,443, and 53. The machine 192\*.181 can connect at ports 22 and 21. * If you use Nmap at localhost/127.0.0.1, you can view the ports open because rule liberate\_in\_2\_out is true. * The password to turn Firewall visible is "AbraKadabra". * The password to turn the Firewall invisible is "Shazam". * You need to send the password for your fake device, "usb14". To exit the module, we need to turn visible at the "lsmod" command ... ``` # echo "AbraKadabra" > /dev/usb14 # lsmod | grep SandWall # rmmod SandWall ``` ### Random notes It was tested on ubuntu 16 and fedora 29 at kernels "3.x","4.x" and "5.x". ### The future TODO * Support to IPV6. * Macro to select the interface(to use multiple modes for each interface). * Option to remove last logs when turn hides mode. * Option to search and remove other toolkits. * Code generator for eBPF. ### Point of attention The purpose of this tool is to use in pentest, and take attention if you have proper authorization before using that. I do not have responsibility for your actions. You can use a hammer to construct a house or destroy it, choose the law path, don't be a bad guy, remember. ### References *Wikipedia Netfilter* *Linux Device Drivers* *M0nad's Diamorphine* **Thank you for reading!** **cheers** ![](/files/oahGZnT9mQCB2BJBL6V9) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://antonio-cooler.gitbook.io/coolervoid-tavern/hidden-firewall-in-kernel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.