RE: Hidden Ports

["Dimitri Bertolami" <Dimitri () staf pi be>]

guys and galls,

I'll explain a bit more about this one ..


what most trojans nowadays use as technique is a verry basic, verry simple
sniffer, once you have
built your own sniffer you can set it to listen to a certain type of packet,
ONLY if that type of packet is detected you can trigger just about anything
you please.

most hackers use small tricks that will force you to kill your system many
times before you find the actual process,
like renaming their backdoor to winmgnt.exe , lsass.exe , svchost.exe etc.
so you'll have to kill your system
many times before you can find the actual process to which it is bound. (if
you're really lucky the coder of the
backdoor used a function that allways requests the same process ID, (PID) so
look for the same PID after rebooting,
but any person with C++ skills can change the original code to fit it
needs...
so far for the part of backdoor, rootkits are completely different than a
simple backdoor.
the most basic backdoor = netcat: (nc.exe -L -d -p 55 -v -vv -e cmd.exe) and
you have a ready to use telnet server.
(cmd.exe is bound to port 55 in this case)
but , everyone can connect to it, and do the same as what you can, if you
want to check out one of the first backdoors
with authentication method built in (and some other small things extra)
check out winshell 5.0
download :
http://www.yanbing.org/software.htm
info:
http://www.megasecurity.org/trojans/w/winshell/Winshell5.0.html


btw, if you want to test the "port connecting, use simple good old netcat:
nc 10.0.0.1 20-25
will try to connect from port 1 to 100 , and in this case

C:\tools>nc 10.0.0.1 1-100
220 Serv-U FTP Server v4.1 for WinSock ready...
^C

it catches my FTP server on port 21 ;)

this should get you started on how easy it actually is to accomplish what
you want once you know why hackers use certain
tools. there's not much "building of anything, it's just using tools to
their limit, and if you need something else look
for what you need in google.

quote:
-------------------------------------------
> > > Some tools also look for
> connections to ports in certain order (eg, the same host contacts port
> 80, port 22 and then port 443 within a few seconds).  <<

Right.  This is called port knocking.
-------------------------------------------
if you want to test this particular thing out yourself , grab scanline from
foundstone
https://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcont
ent=/resources/proddesc/scanline.htm


that should allready scan for all the ports listed in your question in one
simple command.


quote:
------------------------------------------
> Wouldn't you be able, in say, Windows 2000,  to see the Process running
which would be looking for this sequence?
>

Perhaps a less-well-designed trojan might actually open the ports, then
start a timer when the first port is knocked.  Given such tools as fport and
(my favorite) openports, you would be able to see the process that had
opened this combination of ports.
-------------------------------------------

as I said we're not talking about opening ports until a trigger sequence
(however you like it) is activated in the "sniffer"
part of the backdoor.

quote: (david)
-------------------------------------------
Not necessarily.  These tools are often part of a rootkit, which would
naturally hide itself.  In fact, they usually load as part of the OS
kernel, and not as a process.
-------------------------------------------
http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender0.21.html
(text below taken from the site)
Idea
----

        Main idea of this program was to use API functions WriteProcessMemory
and CreateRemoteThread to create a new thread in all running processes.
New thread will rewrite some functions in system modules (mostly
kernel32.dll)
and inject fake code which will check API results and change this result
in specific cases.
        Program must be absolutely hidden for all others. Program installs
hidden backdoors and register as hidden system service.




--
meaning ,  you really honestly don't see the 500 connections to port 21 on
your hidden FTP Server, because according to
your "rewritten" kernel there simply aren't any of these services or ports
in use, you can consider a rootkit like an Evil
MS patch (from hackers) MS patches the correct way, rootkits patch the wrong
way. but a patch is a patch and windows won't
recognise the patch as "not" being a part of it's own architecture once it's
installed.


any questions, feel free to ask..
Cheers,
Dimitri







-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com]
Sent: vrijdag 6 februari 2004 14:58
To: security-basics () securityfocus com
Subject: Re: Hidden Ports


In-Reply-To: <008701c3ebb4$8777ec90$2a067ece@dell16>


> > > Some tools also look for
> connections to ports in certain order (eg, the same host contacts port
> 80, port 22 and then port 443 within a few seconds).  <<

Right.  This is called port knocking.

> Wouldn't you be able, in say, Windows 2000,  to see the Process running
which would be looking for this sequence?
>

I'd be interested to hear how you would go about doing this.  Yes, assuming
there are no (DKOM-style, DLL injection, etc.) rootkits installed, you
should be able to enumerate running processes.  But how would you go about
locating the process that had hooked the IP stack in order to listen for
that combination?  After all, assuming it were properly designed, you
wouldn't have to actually open a port.  Perhaps you'd need to include the
WinPcap drivers or something similar, but hooking the stack and looking for
the right combinations of knocks (ie, "shave and a haircut") shouldn't be to
awfully difficult.

Perhaps a less-well-designed trojan might actually open the ports, then
start a timer when the first port is knocked.  Given such tools as fport and
(my favorite) openports, you would be able to see the process that had
opened this combination of ports.




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------