Port Nocking

GovernmentSecurity.org > System Security > Windows Systems

LittleHacker

Mar 5 2005, 11:12 PM

Well you know its originally for *nix systems with inetd process.
I think it's possible to have Port Nocking Technique on Win32 too. How ?
By a rootkit listening on a default system port (such as 135,445,...). and share it with SYSTEM. the rookit can plays the role of inetd and still become hidden.
Does anyone had try it before ?

White Scorpion

Mar 5 2005, 11:55 PM

recently i have read an article on how port-knocking exactly works, but unfortunately i can not remember where i'd read it

i do know however that it is possible to do it on windows as well. all you need to have is an application which monitors the firewall logs and is able to open / close ports.

i did some googling and i've found something interesting here.
it might prove useful to you

LittleHacker

Mar 6 2005, 12:12 AM

idea of monitoring firewall logs is cool and easy (i think)
thanks
but i don't know if possible to monitor all firewalls logs. maybe only most famous
anyway, this paper used packetfiltering

White Scorpion

Mar 6 2005, 10:59 AM

well the best way would be to write your own firewall, since then you can have full control over the logs / firewall . i know this would be a more difficult task, but surely not impossible...

that is the main reason i think why it is more often used on *nix, since the firewall itself is open source as well and therefor more easy to control...

LittleHacker

Mar 6 2005, 06:34 PM

yes writing a firewall is not easy.
and it may help to detect the backdoor by blocking some proggies

myth

Mar 6 2005, 08:39 PM

Hey

Port Knocking is a great idea. I love it. /me will implement this, and bring it up in other discussions ... Very cool idea...

As for the actual firewall, will have to look into this, but i need to work on a dynamic firewall settings aswell, alot of work to do... (ie. If your DoS'ing me, my firewall will block those packets.... or firewall will block ports etc etc)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Port Nocking GovernmentSecurity.org > System Security > Windows Systems LittleHacker Mar 5 2005, 11:12 PM Well you know its originally for nix systems with inetd process. I think it's possible to have Port Nocking Technique on Win32 too. How ? By a rootkit listening on a default system port (such as 135,445,...). and share it with SYSTEM. the rookit can plays the role of inetd and still become hidden. Does anyone had try it before ? White Scorpion Mar 5 2005, 11:55 PM recently i have read an article on how port-knocking exactly works, but unfortunately i can not remember where i'd read it i do know however that it is possible to do it on windows as well. all you need to have is an application which monitors the firewall logs and is able to open / close ports. i did some googling and i've found something interesting here. it might prove useful to you LittleHacker Mar 6 2005, 12:12 AM idea of monitoring firewall logs is cool and easy (i think) thanks but i don't know if possible to monitor all firewalls logs. maybe only most famous anyway, this paper used packetfiltering White Scorpion Mar 6 2005, 10:59 AM well the best way would be to write your own firewall, since then you can have full control over the logs / firewall . i know this would be a more difficult task, but surely not impossible... that is the main reason i think why it is more often used on nix, since the firewall itself is open source as well and therefor more easy to control... LittleHacker Mar 6 2005, 06:34 PM yes writing a firewall is not easy. and it may help to detect the backdoor by blocking some proggies myth Mar 6 2005, 08:39 PM Hey Port Knocking is a great idea. I love it. /me will implement this, and bring it up in other discussions ... Very cool idea... As for the actual firewall, will have to look into this, but i need to work on a dynamic firewall settings aswell, alot of work to do... (ie. If your DoS'ing me, my firewall will block those packets.... or firewall will block ports etc etc) This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.