[TOOL] DetectCon Detects Hidden Ports

• Previous message: SecuriTeam: "[NT] Microsoft Windows XP RPC Cache Memory Leak Vulnerabiliry"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 6 Jul 2005 13:59:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  DetectCon Detects Hidden Ports
------------------------------------------------------------------------

SUMMARY

DETAILS

This is a little program is able to detect if a rootkit is hiding a
certian port from being detected as a port that listens on connection. The
program will only work when the rootkit uses a port based listening
backdoor.

Tool source:
/*
++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn't read the one on our site.
 +
+The tools and tutorials KD-Team develops and publishes are only ment for
        +
+educational purpose only.WE DO NOT encourage the use of this tools and
       +
+tutorials for mailicious purpose.We learned a lot during the development
of them +
+so we hope you also learn and don't just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor
       +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++
*/
#include <windows.h>
#include <stdio.h>
#include <Iphlpapi.h>
#include <winsock2.h>

void BindPort();

void main(int argc,char *argv[])
{
 if(argc > 1)
 {
  printf("\t\tDetect Hidden Connections\n");
  printf("\tWritten By: Kd-Team\n");
  printf("\tThis is just a POC to show\n");
  printf("\tHowto detect hidden tcp ports\n");
  printf("\tUsually rootkits hide them\n");
  printf("\tThis DOES NOT WORK WHEN:\n");
  printf("\t\"setsockopt(SO_REUSEADDR)\" is set\n");
  printf("\tRead readme.txt for more info\n");
  printf("\tUsage: %s\n",argv[0]);
  printf("\tWhen this output's ports that netstat doesn't\n");
  printf("\tthat would theoretically be a indication\n");
     printf("\tthat the port is hidden\n");
 }
 else
 {
  BindPort();
 }
}
void BindPort()
{
 WSADATA wsa;
 SOCKET hLstnSock;
 struct sockaddr_in ServAddr;

 if(WSAStartup(MAKEWORD(2,0),&wsa) != 0)
 {
  printf("WSAStartup() failed\n");
 }

 memset(&ServAddr,0,sizeof(ServAddr));
 ServAddr.sin_family = AF_INET;
 ServAddr.sin_addr.s_addr = htonl(INADDR_ANY);

 for(int i=0;i<65536;i+)
 {

  ServAddr.sin_port = htons(i);

  hLstnSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,0,0,0);
  if(hLstnSock == SOCKET_ERROR)
  {
   printf("socket() %d failed\n",WSAGetLastError());
   WSACleanup();
  }

  if(bind(hLstnSock,(struct sockaddr *)&ServAddr,sizeof(ServAddr)) < 0)
  {
   printf("port: %i bind() %d failed\n",i,WSAGetLastError());
   closesocket(hLstnSock);
  }
  else
  {
   //printf("port %i succeeded\n",i); just uncomment this if you wanna
know on what ports the bind succeeded.
   closesocket(hLstnSock);
  }
 }

 WSACleanup();
}

ADDITIONAL INFORMATION

The information has been provided by kd team.
To keep updated with the tool visit the project's homepage at:
<http://www.kd-team.com/> http://www.kd-team.com/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Microsoft Windows XP RPC Cache Memory Leak Vulnerabiliry"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] Solaris Socket Hijack Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By binding a socket with an already binded port number of specific IP ... attackers can hijack an already binded sockets in Solaris. ... A bug with Solaris Kernel flag of SO_REUSEADDR cause the Kernel to accept ... (Securiteam) [EXPL] Quake 3 Buffer Overflow (Exploit) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... port and exit cleanly with an unsuspicious error message. ... unsigned char ipx; ... int hooklen; // for both sendservercommand and directconnect ... (Securiteam) [TOOL] IRC DCC Connect() Blind Port Scanner ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IRC DCC ConnectBlind Port Scanner ... After waiting a short while for the mIRC client ... (Securiteam) [NT] SLMail Pro Multiple Denial of Service ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The SLMail Pro Web Service running on port 801 is ... int main{ ... (Securiteam) [EXPL] TCP Window Size RST ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... (IP addresses of the peers and port numbers). ... be used to reset any TCP connection once the range of sequence numbers is ... irssi's window size was larger so I figured ... (Securiteam)