Security Basics mailing list archives
Re: Hidden Ports
From: H Carvey <keydet89 () yahoo com>
Date: 6 Feb 2004 13:57:33 -0000
In-Reply-To: <008701c3ebb4$8777ec90$2a067ece@dell16>
Some tools also look forconnections to ports in certain order (eg, the same host contacts port 80, port 22 and then port 443 within a few seconds). <<
Right. This is called port knocking.
Wouldn't you be able, in say, Windows 2000, to see the Process running which would be looking for this sequence?
I'd be interested to hear how you would go about doing this. Yes, assuming there are no (DKOM-style, DLL injection, etc.) rootkits installed, you should be able to enumerate running processes. But how would you go about locating the process that had hooked the IP stack in order to listen for that combination? After all, assuming it were properly designed, you wouldn't have to actually open a port. Perhaps you'd need to include the WinPcap drivers or something similar, but hooking the stack and looking for the right combinations of knocks (ie, "shave and a haircut") shouldn't be to awfully difficult. Perhaps a less-well-designed trojan might actually open the ports, then start a timer when the first port is knocked. Given such tools as fport and (my favorite) openports, you would be able to see the process that had opened this combination of ports. --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: Hidden Ports, (continued)
- Re: Hidden Ports Michael Painter (Feb 06)
- Re: Hidden Ports vrsnet (Feb 06)
- Necessary ports and not necessary ports Benawi (Feb 05)
- Securing Windows Server 2003 [was: Necessary ports and not necessary ports] Joey Peloquin (Feb 05)
- Re: Necessary ports and not necessary ports JGrimshaw (Feb 06)
- Re: Necessary ports and not necessary ports NSC (Feb 06)
- Re: [work] Hidden Ports opticfiber (Feb 05)
- Re: Hidden Ports Vincent (Feb 06)
- Re: Hidden Ports Alessandro (Feb 04)
- Re: Hidden Ports H Carvey (Feb 05)
- Re: Hidden Ports H Carvey (Feb 06)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports Michael Painter (Feb 09)
- RE: Hidden Ports Aditya [ Aditya Lalit Deshmukh ] (Feb 10)
- RE: Hidden Ports Dimitri Bertolami (Feb 06)
- Re: Hidden Ports H Carvey (Feb 06)
- Re: Hidden Ports H Carvey (Feb 09)