RE: Hidden Ports
From: Dimitri Bertolami (Dimitri_at_staf.pi.be)
Date: 02/06/04
- Previous message: SHELDON QUINNY: "Prohibiting Chat Software Activation on Client Machines"
- In reply to: H Carvey: "Re: Hidden Ports"
- Next in thread: Michael Painter: "Re: Hidden Ports"
- Reply: Michael Painter: "Re: Hidden Ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com> Date: Fri, 6 Feb 2004 20:50:50 +0100
guys and galls,
I'll explain a bit more about this one ..
what most trojans nowadays use as technique is a verry basic, verry simple
sniffer, once you have
built your own sniffer you can set it to listen to a certain type of packet,
ONLY if that type of packet is detected you can trigger just about anything
you please.
most hackers use small tricks that will force you to kill your system many
times before you find the actual process,
like renaming their backdoor to winmgnt.exe , lsass.exe , svchost.exe etc.
so you'll have to kill your system
many times before you can find the actual process to which it is bound. (if
you're really lucky the coder of the
backdoor used a function that allways requests the same process ID, (PID) so
look for the same PID after rebooting,
but any person with C++ skills can change the original code to fit it
needs...
so far for the part of backdoor, rootkits are completely different than a
simple backdoor.
the most basic backdoor = netcat: (nc.exe -L -d -p 55 -v -vv -e cmd.exe) and
you have a ready to use telnet server.
(cmd.exe is bound to port 55 in this case)
but , everyone can connect to it, and do the same as what you can, if you
want to check out one of the first backdoors
with authentication method built in (and some other small things extra)
check out winshell 5.0
download :
http://www.yanbing.org/software.htm
info:
http://www.megasecurity.org/trojans/w/winshell/Winshell5.0.html
btw, if you want to test the "port connecting, use simple good old netcat:
nc 10.0.0.1 20-25
will try to connect from port 1 to 100 , and in this case
C:\tools>nc 10.0.0.1 1-100
220 Serv-U FTP Server v4.1 for WinSock ready...
^C
it catches my FTP server on port 21 ;)
this should get you started on how easy it actually is to accomplish what
you want once you know why hackers use certain
tools. there's not much "building of anything, it's just using tools to
their limit, and if you need something else look
for what you need in google.
quote:
-------------------------------------------
>>>Some tools also look for
>connections to ports in certain order (eg, the same host contacts port
>80, port 22 and then port 443 within a few seconds). <<
Right. This is called port knocking.
-------------------------------------------
if you want to test this particular thing out yourself , grab scanline from
foundstone
https://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcont
ent=/resources/proddesc/scanline.htm
that should allready scan for all the ports listed in your question in one
simple command.
quote:
------------------------------------------
>Wouldn't you be able, in say, Windows 2000, to see the Process running
which would be looking for this sequence?
>
Perhaps a less-well-designed trojan might actually open the ports, then
start a timer when the first port is knocked. Given such tools as fport and
(my favorite) openports, you would be able to see the process that had
opened this combination of ports.
-------------------------------------------
as I said we're not talking about opening ports until a trigger sequence
(however you like it) is activated in the "sniffer"
part of the backdoor.
quote: (david)
-------------------------------------------
Not necessarily. These tools are often part of a rootkit, which would
naturally hide itself. In fact, they usually load as part of the OS
kernel, and not as a process.
-------------------------------------------
http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender0.21.html
(text below taken from the site)
Idea
---- Main idea of this program was to use API functions WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake code which will check API results and change this result in specific cases. Program must be absolutely hidden for all others. Program installs hidden backdoors and register as hidden system service. -- meaning , you really honestly don't see the 500 connections to port 21 on your hidden FTP Server, because according to your "rewritten" kernel there simply aren't any of these services or ports in use, you can consider a rootkit like an Evil MS patch (from hackers) MS patches the correct way, rootkits patch the wrong way. but a patch is a patch and windows won't recognise the patch as "not" being a part of it's own architecture once it's installed. any questions, feel free to ask.. Cheers, Dimitri -----Original Message----- From: H Carvey [mailto:keydet89@yahoo.com] Sent: vrijdag 6 februari 2004 14:58 To: security-basics@securityfocus.com Subject: Re: Hidden Ports In-Reply-To: <008701c3ebb4$8777ec90$2a067ece@dell16> >>>Some tools also look for >connections to ports in certain order (eg, the same host contacts port >80, port 22 and then port 443 within a few seconds). << Right. This is called port knocking. >Wouldn't you be able, in say, Windows 2000, to see the Process running which would be looking for this sequence? > I'd be interested to hear how you would go about doing this. Yes, assuming there are no (DKOM-style, DLL injection, etc.) rootkits installed, you should be able to enumerate running processes. But how would you go about locating the process that had hooked the IP stack in order to listen for that combination? After all, assuming it were properly designed, you wouldn't have to actually open a port. Perhaps you'd need to include the WinPcap drivers or something similar, but hooking the stack and looking for the right combinations of knocks (ie, "shave and a haircut") shouldn't be to awfully difficult. Perhaps a less-well-designed trojan might actually open the ports, then start a timer when the first port is knocked. Given such tools as fport and (my favorite) openports, you would be able to see the process that had opened this combination of ports. --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
- Previous message: SHELDON QUINNY: "Prohibiting Chat Software Activation on Client Machines"
- In reply to: H Carvey: "Re: Hidden Ports"
- Next in thread: Michael Painter: "Re: Hidden Ports"
- Reply: Michael Painter: "Re: Hidden Ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
