EvilZone
Hacking and Security => Beginner's Corner => : hack3rcon September 26, 2015, 05:12:38 PM
-
Hello.
How can I understand my Linux Box or Windows Box monitored by others from Local or remote network? For example, They see my Desktop or read my email?
I know an Antivirus on Windows PC can detect BackDoors or other malicious program but is it enough? Can you show me some command to find Illegal activities on Windows PC?
Thank you.
-
You could use wireshark to check incoming/outgoing connections
Also see your CPU usage
-
I'm not 100% sure but
In windows you can see connections via netstat -a in cmd or PS . also look at processes running to see if anything odd sticks out but if you don't know what your looking for it can be confusing.
in linux netstat -antp and maybe route ..
as blazed said you can try wireshark and maybe with the right filters you might catch something .
I'm also interested what others have to say .
-
Wireshark and netstat are good, you can see all outgoing connections with netstat -nputw.
Also check out iftop and jnettop.
-
Haven't used it myself but tcpdump on linux looks like another packet analyzer you can use.
-
I use ProcessHacker (http://processhacker.sourceforge.net/) to see what connects where.
-
Monitoring outbound connections using Process Explorer/Hacker should work in all cases.
However, if you have a Ring-0 rootkit lurking in the kernel, it is game over.
You cannot trust any tools for that matter.
As an instance, read on the ]Hacking Team[ UEFI BIOS rootkit, which is used to maintain persistence and hide their Remote Control Agent.
The only way to detect such malware is to monitor the network traffic via an IDS and that too from a DIFFERENT device.
For example, you can tunnel all connections through a IDS proxy, which would monitor traffic for anomalies.
-
All answers all good but Can I block all incoming connection in Windows? I can do it in Linux via iptables but how about Windows?
-
@hack3rcon:
You would use a firewall on Windows.
-
@hack3rcon:
You would use a firewall on Windows.
For example, I must block 1-65535 ports outbound via Windows firewall?
-
If you block all ports you gonna have a bad time...
-
@hack3rcon: Why would you want to block all ports ? Install a decent antivirus. You can try Comodo which has a good firewall.
If you're paranoid, air gap the machine, never ever connect to the Internet from there.
-
If you block all ports you gonna have a bad time...
Sorry, I mean was Inbound ports.
-
You're running both windows & linux? Hmm...
Haven't used windows since XP days but here's what you can do on Linux.
1) Check all network connections, services that are listening or running. Turn off unused services, etc.
watch -n5 netstat -naultp
lsof -i
watch -n5 ss -al
2) Check if any of your interfaces is running in promiscuous mode (this is done if something is sniffing the network from your computer - like a backdoor or something running in your computer)
ifconfig -a | grep -i PROMISC
3) Analysing traffic using Wireshark as usual is quite important, your system utilities might be backdoored, but that won't stop wireshark from capturing and displaying network activities to and from your computer.
4) If your computer is used by more than one user you might run this to check out who is using what, etc. or who logging remotely from what IP, etc.
w -s -i -f
last
Keep in mind that all these commands need to be run as root, or root privilege otherwise it's useless. Also never install any binaries or programs outside of your distros repository unless you know what you're doing.
-
Thank you.
In Linux I use iptables for blocking all incoming connections.