Re: Hidden Ports

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <JGEIIEMEINOFOPANNLKAOEHPDCAA.Dimitri () staf pi be>


> most hackers use small tricks that will force you to kill your system many
> times before you find the actual process,
> like renaming their backdoor to winmgnt.exe , lsass.exe , svchost.exe etc.
> so you'll have to kill your system
> many times before you can find the actual process to which it is bound. 


I would caveat this by adding that this is only true in the case of a clueless investigator.  

What we're talking about here is a "port knocker", so using a subject such as "hidden ports" is something of a 
misnomer, b/c the port isn't hidden if it isn't actually open.  

It's true that someone can write (and has written) simple sniffer-like utilities to add to trojan code, so that the IP 
stack is hooked and the code waits for the signature "knock" sequence.  It's like knocking "shave an a haircut" in the 
movies.  I would hesitate, however, to use words like "most trojans" and "most hackers", as this may give people a 
false idea of what's going on.

Now, to the process issue.  Given the process names, I'll assume that Dimitri is referring to a Windows system...say, 
XP.  Well, XP comes with something called Windows File Protection (WFP)...so does 2K and 2K3, for that matter.  In a 
nutshell, if an attacker tries to copy his code into the system32 directory and call it "svchost.exe", *and makes no 
attempts at all to disable WFP*, then WFP will wake up and automatically replace the new svchost.exe with the original. 
 

Why is this important?  Well, let's say that Joe Admin has a copy of tlist.exe from the MS Debugging Toolkit (NOT the 
RK).  If he runs "tlist -c" on the system, he'll get the command line used to launch each process, and will see the 
path that the executable image was launched from.  While the process will appear as yet another "svchost.exe" in Task 
Manager, using other tools will provide the path, such as "C:\temp" or "C:\windows\temp".

So...no reason to repeatedly "kill your system"...

> so far for the part of backdoor, rootkits are completely different than a
> simple backdoor.
> the most basic backdoor = netcat: (nc.exe -L -d -p 55 -v -vv -e cmd.exe) and
> you have a ready to use telnet server.

I think more appropriately, you would have a backdoor that you can connect to with the telnet client (or netcat 
client).  It's technically NOT a telnet server at all...


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------