Can hackers hide their info from netstat

0 votes
I’m currently learning about network security, and I know that the netstat command can be used to display active connections on a machine. However, I’m curious if a hacker can hide their network activity from being shown in netstat. For instance, if someone gains unauthorized access to a server, is there a way for them to remain hidden and avoid detection via netstat?

Are there any techniques or tools that attackers can use to obscure their connection information? I’d like to understand how this might be achieved and what defense mechanisms exist to detect such hidden activity.
Oct 21 in Cyber Security & Ethical Hacking by Anupam
• 3,890 points
38 views

1 answer to this question.

0 votes

Yes, attackers can hide their network activity from tools like netstat using various techniques and tools.

In order to hide network activity from netstat, an attacker can either:

1. Use a Kernel Rootkit that modifies the kernel's behavior, allowing the attacker to hide processes and network connections from system monitoring tools, including netstat.
2. A rootkit like Adore-ng can be used to completely hide our connection from any monitoring commands like netstat, ps, or lsof.
3. Another way is to replace the netstat binary on the target machine with a compromised version. Here, we can modify the original netstat command to exclude their own connections.
4. So, if an attacker is able to gain access to the target system. They can copy the netstat binary, edit the code to exclude connections associated with their malicious activities, and replace the original binary with the modified one.
5. Now, this new netstat will exclude any connections from the attacker's IP address.

For example, this is what netstat without a backdoor looks like:

netstat -tulnp
Proto Recv-Q Send-Q Local Address      Foreign Address     State       PID/Program name
tcp   0      0    192.168.1.10:5555    attacker_ip:12345   ESTABLISHED 1234/python

And this is how a backdoored netstat looks like:

netstat -tulnp
Proto Recv-Q Send-Q Local Address      Foreign Address     State       PID/Program name
tcp   0      0    192.168.1.10:8080    192.168.1.11:443    ESTABLISHED 6789/apache2

Here, the attacker's connection (on port 5555) is removed from the output which makes it undetectable for the system user.

Now, talking about the defence mechanisms:

1. We can use tools like Tripwire to monitor system files, including binaries like netstat for unauthorized changes.
2. Tools like Wireshark or tcpdump can be used to monitor network traffic at a lower level, bypassing any local manipulations to system tools.

This will allow us to detect and prevent attackers from hiding their activity on the system.

answered Oct 24 by CaLLmeDaDDY
• 3,320 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
0 answers

Can hackers hide their info from netstat?

Can hackers hide their info from netstat? READ MORE

Oct 14 in Cyber Security & Ethical Hacking by Anupam
• 3,890 points
73 views
0 votes
1 answer

Can I determine the current IP from a known MAC Address?

ARP may be used to retrieve an ...READ MORE

answered Feb 20, 2022 in Cyber Security & Ethical Hacking by Edureka
• 12,690 points
623 views
0 votes
0 answers

How can I extract sensitive information from SNMP-enabled devices?

I’m interested in understanding how to retrieve ...READ MORE

Nov 6 in Cyber Security & Ethical Hacking by Anupam
• 3,890 points
23 views
0 votes
0 answers
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 3,320 points
97 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
0 votes
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP