Security Basics mailing list archives
RE: Hidden Ports
From: "Dimitri Bertolami" <Dimitri () staf pi be>
Date: Fri, 6 Feb 2004 20:50:50 +0100
guys and galls, I'll explain a bit more about this one .. what most trojans nowadays use as technique is a verry basic, verry simple sniffer, once you have built your own sniffer you can set it to listen to a certain type of packet, ONLY if that type of packet is detected you can trigger just about anything you please. most hackers use small tricks that will force you to kill your system many times before you find the actual process, like renaming their backdoor to winmgnt.exe , lsass.exe , svchost.exe etc. so you'll have to kill your system many times before you can find the actual process to which it is bound. (if you're really lucky the coder of the backdoor used a function that allways requests the same process ID, (PID) so look for the same PID after rebooting, but any person with C++ skills can change the original code to fit it needs... so far for the part of backdoor, rootkits are completely different than a simple backdoor. the most basic backdoor = netcat: (nc.exe -L -d -p 55 -v -vv -e cmd.exe) and you have a ready to use telnet server. (cmd.exe is bound to port 55 in this case) but , everyone can connect to it, and do the same as what you can, if you want to check out one of the first backdoors with authentication method built in (and some other small things extra) check out winshell 5.0 download : http://www.yanbing.org/software.htm info: http://www.megasecurity.org/trojans/w/winshell/Winshell5.0.html btw, if you want to test the "port connecting, use simple good old netcat: nc 10.0.0.1 20-25 will try to connect from port 1 to 100 , and in this case C:\tools>nc 10.0.0.1 1-100 220 Serv-U FTP Server v4.1 for WinSock ready... ^C it catches my FTP server on port 21 ;) this should get you started on how easy it actually is to accomplish what you want once you know why hackers use certain tools. there's not much "building of anything, it's just using tools to their limit, and if you need something else look for what you need in google. quote: -------------------------------------------
Some tools also look forconnections to ports in certain order (eg, the same host contacts port 80, port 22 and then port 443 within a few seconds). <<
Right. This is called port knocking. ------------------------------------------- if you want to test this particular thing out yourself , grab scanline from foundstone https://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcont ent=/resources/proddesc/scanline.htm that should allready scan for all the ports listed in your question in one simple command. quote: ------------------------------------------
Wouldn't you be able, in say, Windows 2000, to see the Process running
which would be looking for this sequence?
Perhaps a less-well-designed trojan might actually open the ports, then start a timer when the first port is knocked. Given such tools as fport and (my favorite) openports, you would be able to see the process that had opened this combination of ports. ------------------------------------------- as I said we're not talking about opening ports until a trigger sequence (however you like it) is activated in the "sniffer" part of the backdoor. quote: (david) ------------------------------------------- Not necessarily. These tools are often part of a rootkit, which would naturally hide itself. In fact, they usually load as part of the OS kernel, and not as a process. ------------------------------------------- http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender0.21.html (text below taken from the site) Idea ---- Main idea of this program was to use API functions WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake code which will check API results and change this result in specific cases. Program must be absolutely hidden for all others. Program installs hidden backdoors and register as hidden system service. -- meaning , you really honestly don't see the 500 connections to port 21 on your hidden FTP Server, because according to your "rewritten" kernel there simply aren't any of these services or ports in use, you can consider a rootkit like an Evil MS patch (from hackers) MS patches the correct way, rootkits patch the wrong way. but a patch is a patch and windows won't recognise the patch as "not" being a part of it's own architecture once it's installed. any questions, feel free to ask.. Cheers, Dimitri -----Original Message----- From: H Carvey [mailto:keydet89 () yahoo com] Sent: vrijdag 6 februari 2004 14:58 To: security-basics () securityfocus com Subject: Re: Hidden Ports In-Reply-To: <008701c3ebb4$8777ec90$2a067ece@dell16>
Some tools also look forconnections to ports in certain order (eg, the same host contacts port 80, port 22 and then port 443 within a few seconds). <<
Right. This is called port knocking.
Wouldn't you be able, in say, Windows 2000, to see the Process running
which would be looking for this sequence?
I'd be interested to hear how you would go about doing this. Yes, assuming there are no (DKOM-style, DLL injection, etc.) rootkits installed, you should be able to enumerate running processes. But how would you go about locating the process that had hooked the IP stack in order to listen for that combination? After all, assuming it were properly designed, you wouldn't have to actually open a port. Perhaps you'd need to include the WinPcap drivers or something similar, but hooking the stack and looking for the right combinations of knocks (ie, "shave and a haircut") shouldn't be to awfully difficult. Perhaps a less-well-designed trojan might actually open the ports, then start a timer when the first port is knocked. Given such tools as fport and (my favorite) openports, you would be able to see the process that had opened this combination of ports. --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: Hidden Ports, (continued)
- Re: Hidden Ports vrsnet (Feb 06)
- Necessary ports and not necessary ports Benawi (Feb 05)
- Securing Windows Server 2003 [was: Necessary ports and not necessary ports] Joey Peloquin (Feb 05)
- Re: Necessary ports and not necessary ports JGrimshaw (Feb 06)
- Re: Necessary ports and not necessary ports NSC (Feb 06)
- Re: [work] Hidden Ports opticfiber (Feb 05)
- Re: Hidden Ports Vincent (Feb 06)
- Re: Hidden Ports Alessandro (Feb 04)
- Re: Hidden Ports H Carvey (Feb 05)
- Re: Hidden Ports H Carvey (Feb 06)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports Michael Painter (Feb 09)
- RE: Hidden Ports Aditya [ Aditya Lalit Deshmukh ] (Feb 10)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports H Carvey (Feb 06)
- Re: Hidden Ports H Carvey (Feb 09)