Re: Hidden Ports

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <008701c3ebb4$8777ec90$2a067ece@dell16>


> > > Some tools also look for
> connections to ports in certain order (eg, the same host contacts port
> 80, port 22 and then port 443 within a few seconds).  <<

Right.  This is called port knocking.

> Wouldn't you be able, in say, Windows 2000,  to see the Process running which would be looking for this sequence? 

I'd be interested to hear how you would go about doing this.  Yes, assuming there are no (DKOM-style, DLL injection, 
etc.) rootkits installed, you should be able to enumerate running processes.  But how would you go about locating the 
process that had hooked the IP stack in order to listen for that combination?  After all, assuming it were properly 
designed, you wouldn't have to actually open a port.  Perhaps you'd need to include the WinPcap drivers or something 
similar, but hooking the stack and looking for the right combinations of knocks (ie, "shave and a haircut") shouldn't 
be to awfully difficult.

Perhaps a less-well-designed trojan might actually open the ports, then start a timer when the first port is knocked.  
Given such tools as fport and (my favorite) openports, you would be able to see the process that had opened this 
combination of ports.

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------