Security Basics mailing list archives
Re: Hidden Ports
From: H Carvey <keydet89 () yahoo com>
Date: 9 Feb 2004 13:46:57 -0000
In-Reply-To: <JGEIIEMEINOFOPANNLKAOEHPDCAA.Dimitri () staf pi be>
most hackers use small tricks that will force you to kill your system many times before you find the actual process, like renaming their backdoor to winmgnt.exe , lsass.exe , svchost.exe etc. so you'll have to kill your system many times before you can find the actual process to which it is bound.
I would caveat this by adding that this is only true in the case of a clueless investigator. What we're talking about here is a "port knocker", so using a subject such as "hidden ports" is something of a misnomer, b/c the port isn't hidden if it isn't actually open. It's true that someone can write (and has written) simple sniffer-like utilities to add to trojan code, so that the IP stack is hooked and the code waits for the signature "knock" sequence. It's like knocking "shave an a haircut" in the movies. I would hesitate, however, to use words like "most trojans" and "most hackers", as this may give people a false idea of what's going on. Now, to the process issue. Given the process names, I'll assume that Dimitri is referring to a Windows system...say, XP. Well, XP comes with something called Windows File Protection (WFP)...so does 2K and 2K3, for that matter. In a nutshell, if an attacker tries to copy his code into the system32 directory and call it "svchost.exe", *and makes no attempts at all to disable WFP*, then WFP will wake up and automatically replace the new svchost.exe with the original. Why is this important? Well, let's say that Joe Admin has a copy of tlist.exe from the MS Debugging Toolkit (NOT the RK). If he runs "tlist -c" on the system, he'll get the command line used to launch each process, and will see the path that the executable image was launched from. While the process will appear as yet another "svchost.exe" in Task Manager, using other tools will provide the path, such as "C:\temp" or "C:\windows\temp". So...no reason to repeatedly "kill your system"...
so far for the part of backdoor, rootkits are completely different than a simple backdoor. the most basic backdoor = netcat: (nc.exe -L -d -p 55 -v -vv -e cmd.exe) and you have a ready to use telnet server.
I think more appropriately, you would have a backdoor that you can connect to with the telnet client (or netcat client). It's technically NOT a telnet server at all... --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: Necessary ports and not necessary ports, (continued)
- Re: Necessary ports and not necessary ports NSC (Feb 06)
- Re: [work] Hidden Ports opticfiber (Feb 05)
- Re: Hidden Ports Vincent (Feb 06)
- Re: Hidden Ports Alessandro (Feb 04)
- Re: Hidden Ports H Carvey (Feb 05)
- Re: Hidden Ports H Carvey (Feb 06)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports Michael Painter (Feb 09)
- RE: Hidden Ports Aditya [ Aditya Lalit Deshmukh ] (Feb 10)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports H Carvey (Feb 06)
- Re: Hidden Ports H Carvey (Feb 09)