Closed corefx closed 5 years ago
Hello, is nice to see you here again.
So, look this line:
https://github.com/f0rb1dd3n/Reptile/blob/master/rep_mod.c#L911
I commented in the code the part that is filtrating by port, and using just the IP address. Then, all connections to this IP will be hidden. I did it intentionally, cause if the IP address is from attacker, in most of cases the attacker will want all connections from your attack machine hidden.
That's why I put this comment on wiki:
Note: By default, TCP and UDP hiding feature are hiding all connections to an IP and disregarding PORT. If you really want to hide specific connections considering PORT, go to the code and uncomment it on a if statement.
But if you still want hide specific connections filtrating by port, so you need to uncomment that line (and in udp4_seq_show the same).
Hello, thanks for reply. Closing.
Does the hiding function continue to work after the attacker disconnecting? Sometimes an attacker may deploy some reverse backdoor on the victim. Would it be possible to hide all connections to a hidden process?
Hello, There is an open (not hidden) ssh connection but netstat and lsof won't show it. root@test:/root# lsof -i -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dhclient 820 root 6u IPv4 12392 0t0 UDP :68 sshd 986 root 3u IPv4 14641 0t0 TCP :22 (LISTEN) sshd 986 root 4u IPv6 14650 0t0 TCP *:22 (LISTEN)
root@test:/root# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN
tcp6 0 0 :::22 ::: LISTEN
I think that the following commits are causing the problem: https://github.com/f0rb1dd3n/Reptile/commit/94f0d11b538f171b1fa965915ccdcfc8927bab26 https://github.com/f0rb1dd3n/Reptile/commit/a905a8f8286bfd73eae5c4931b2aa74be6facd9e