hello friends first of all if this topic isnt in the right section please move it.. 10x
as the topic says.. is it possible? i know that in the latest version of Hacker defender there is an option that hide seperate ports but not a range of ports... i would like to know if there is any tool that hide a range of ports or could it be done...
10x 4 the helpers
T3cHn0b0y
Jan 2 2004, 03:55 PM
I have read about a registry tweak that can expand the ephemeral port range to any number specified. This means you could have a port 70000 open and nobody would know it because most scanners only scan to 65535.
Then again, I don't know if this is actually possible because - 1. I've never tried it and 2. I thought that 65535 might have been the greatest number you can send in 2 bytes of data. (1+2+4+8+16+32+64+128+256+512+1024+2048+4096+8192+16384+32768)?
Hmm...maybe I'll read up on it again and try it out.
realmasterX
Jan 2 2004, 05:22 PM
may u post this tweak?
UnDeRTaKeR
Jan 2 2004, 06:35 PM
no man i need a range of ports to be hidden in maximum of 65535
vnet576
Jan 2 2004, 06:46 PM
It is possible...you associate a service name for a port..hence the host will think the port is a valid windows port. You can give it the name HTTP, microsoft-ds, or anything you want.
In windows\system32\drivers\etc or winnt\system32\drivers\etc there is a file called services. In that file you will see names that are associated with ports. Lets say you want port 37000 to have the name microsoft-ds. Add the following line:
CODE
microsoft-ds 37000/tcp
so when I type in nc -L -vv -p 37000 in my system..netstat lists the port as microsoft-ds rather than 37000.
netstat -a TCP home-7hqkh9el41:microsoft-ds home-7hqkh9el41:0 LISTENING
Orangey
Jan 2 2004, 08:00 PM
Great Tips VNet
Definatley a Neat Trick
SlippyG
Jan 3 2004, 02:55 AM
QUOTE (UnDeRTaKeR @ Jan 2 2004, 03:32 PM)
i would like to know if there is any tool that hide a range of ports or could it be done...
I don't know exactly what you are trying to do or why, so its hard to get specific.
As mentioned, you could just name the port. This won't fool packet logging, firewalls, third party socket enumeration or anyone doing netstat with the -n option etc. So, the question remains, exactly WHO or WHAT are you hiding the port from.
As a basic example. lets imagine the user is running a basic common firewall (like ZA). It has a list of all socket using processes and open ports. It also NUMBERS them; so simple naming, although it may confuse some people, is unlikely to confuse those too weak to know netstat or strong enough to use netstats options. But, thats still a lot of people I guess.
To truly hide a socket from netstat one can either:
1) Filter netstats output through an intermediate program (Fake telnet calls real telnet passing on any options, collects output of real telnet by calling it with redirected streams, and returns the output line by line but omitting any lines fitting the criteria) Said program is very simple to write in C and would either replace or wrap original telnet. I seem to remember a short Dr. Dobbs Journal article on calling a console mode program from C with redirected iostreams.
2) For the more adept coder one could tamper with the actual objects being returned in the enumeration. This can involve simply shimming the existing API or shimming core DLL's related with returning MIBs.
However, to truly hide a socket on a windows system it is important NOT to use a socket in the first place. Depending on how well you wish to hide the communication you can either:
3) ignore the winsock API function and instead originate the communication from inside the stack (Using the Service Provider Interface)
4) Base your code around NDIS and the Miniport drivers and incorporate your own micro-stack into your code. Of course, such a stack wouldn't have to be fully featured but could even constitute your own proprietary protocol (Making it useful for sneaking past firewall ACL's or an IDS located beyond the local machine) for example, it could be made to resemble CDP packets or use SYN's in a nonstandard way.
I know of several different approaches that other people have taken in this regard but its always involved coding at one level or another. I've never seen public tools that do the job correctly.
Perhaps if you have a specific scenario in mind there may be a more direct course of action. As I said, it all boils down to WHO or WHAT you wish to hide ports from.
Hey, thats probably not the answer you wanted. But its an answer
SG
krackatoa
Jan 3 2004, 04:26 AM
Root kits such as the one made by Aphex has the ability to hide ports and processes from the user explorer Interface. File searches, Netstat -an, and task manager will not display the information once hid.
It does work and I have tested it extensively. Even when you are connected remotely, the port filtered does not show up. You can filter by protocol as well.
Google for it, but be aware it is flagged by AV unless you take measures to mask it
UnDeRTaKeR
Jan 3 2004, 10:13 PM
QUOTE (krackatoa @ Jan 3 2004, 04:26 AM)
Root kits such as the one made by Aphex has the ability to hide ports and processes from the user explorer Interface. File searches, Netstat -an, and task manager will not display the information once hid.
It does work and I have tested it extensively. Even when you are connected remotely, the port filtered does not show up. You can filter by protocol as well.
Google for it, but be aware it is flagged by AV unless you take measures to mask it
you didnt even noticed what i said! i said a range of ports!!! and yes i know that kind of root kit but it hides single ports as i said! in my opinion you just posted for nothing... sorry...
SlippyG
QUOTE
Hey, thats probably not the answer you wanted. But its an answer
l0l! yea you were right... its not the answer i wanted... :\
vnet576 very good tip it will help me in other thing, but you didnt help me also
BTW im trying to hide a range of ports of an xdcc bot on my computer that my father wouldn't notice by using netstat/fport, and yes he knows fport!
and i thought about a generator that will make the whole numbers of a range(for example: the range 1000-4000 the generator will generate 1000,1001,1002....3998,3999,4000 , understood?) and i will put it in the conf of the root kit... but there isnt a limition that the root kit can handle?
10x 4 all the helpers
Illu-OSFXP
Jan 4 2004, 12:53 AM
dont have anything of any use for you undertaker, but that was a pretty lame post you just made, krackatoa was only trying to help, if you cant be thankful for people helping, dont ask in the firstplace.
netranger
Jan 4 2004, 02:35 AM
Hi, yep i can hide range of ports from netsta but from fport.. hmm will se only netstat ) if u wanna i can post the code and u can compile it by urself adding the ports u wanna hide . Just pm me . But i dont know for fport...
UnDeRTaKeR
Jan 4 2004, 10:06 PM
QUOTE (Illu-OSFXP @ Jan 4 2004, 12:53 AM)
dont have anything of any use for you undertaker, but that was a pretty lame post you just made, krackatoa was only trying to help, if you cant be thankful for people helping, dont ask in the firstplace.
i said he just posted for nothing and i apologized(or how i t called) to him...
QUOTE
in my opinion you just posted for nothing... sorry...
what would happen if people were posting for nothing?! its not the issue as i said in the main post...
netranger - 10x for the help but i could easly fake netstat if ill just replace it.. the real problem is fport :\, but it would ne nice from you to send me the code man
thotho
Jan 5 2004, 06:46 AM
very nice thanks
UnDeRTaKeR
Jan 6 2004, 07:36 PM
any ideas?
GhostCow
Jan 6 2004, 08:21 PM
i guess vnet's tip can be taken into consideration... it would take alot of work but you can make a batch file to echo into 'services' everything you need automatically... there's no easy way out of this one undertaker...
if you actually want them HIDDEN, so they wont be shown open you can just start masking port by port in HXDEF , there's no automatic generator that i know of...
jak3c
Jan 6 2004, 08:29 PM
hello ! i'm not sure the number of port can be upper to 65535. the data structure of the socket (a socket is needed to be a server) is coded on a little variable allowing the max number of a port to 65535. so any server can listen a port number upper 65535.....
seems don't be possible !
vnet576
Jan 6 2004, 08:53 PM
Never say something is impossible..here are screenshots detailing it working..how or why it worked I don't know. But the screenshots are there...On one remote machine I uploaded netcat and set it listening on port 87000. On my home machine I then connected to that machine using port 87000. The reason that I tried this is becuz a friend of mine kept setting his listening port for the dameware exploit to be 67000. When he mentioned that I tried to remind him that the port doesn't exist, but apparently it worked for him...so thats what gave me the idea to try it on my own. Also the port is not visible in netstat or fport.
GhostCow
Jan 6 2004, 09:21 PM
C:\Documents and Settings\Administrator>nc -l -vv -p 87000 -e cmd.exe listening on [any] 21464 ...
i checked netstat and it shows a legit connection to 21464 ... guess it dont work after all
JdEeZy
Jan 7 2004, 02:01 AM
QUOTE
C:\Documents and Settings\Administrator>nc -l -vv -p 87000 -e cmd.exe listening on [any] 21464 ...
i checked netstat and it shows a legit connection to 21464 ... guess it dont work after all
Dont use the -vv and it will work fine. Just tried it and it worked.
noam
Jan 30 2004, 12:31 AM
i checked that... if u add 65536 to every port listening on the comp u will get the same port... mean that 87000 is actually 21464.. if u set nc to listen on port 87000 u can still connect to 21464.. and of course, fport shows 21464 listening u can also add another 65536 and its still be the same set nc to 21464 and connect to 152536 and see the magic ;]
SlippyG
Apr 29 2004, 06:07 AM
QUOTE (noam @ Jan 30 2004, 12:31 AM)
if u add 65536 to every port listening on the comp u will get the same port... mean that 87000 is actually 21464..
heh, should hardly surprise anyone here, especialy considering the source and destination port fields in the header are both 16 bits wide.
All you're seeing is a simple programming choice. If the number is too big you either AND 0xFFFF (trim it to 16 bits) or you kick up an error and try to make the user look stupid, the coders elected for the former in this instance.
SG
jimmy
Apr 29 2004, 06:17 AM
hackerdefender source code if available, just edit it that you can also enter a range of ports ...
LKM
Apr 29 2004, 12:58 PM
vn576 > Modify the attached picture, it shows the remote ip !
Anyway, thanks for this example.
Hunter
May 1 2004, 04:36 PM
You can also put something like these in your hackerdefender ini:
yea you were right... its not the answer i wanted... :\
