With the Trojan, the continuous development of the backdoor, the firewall itself is also constantly developing, this is a spear and shield and relationship, know how to escape the firewall for the control of a system is of great significance.
Because of the development of the firewall, today, many firewalls are loaded in the form of driving, the core is in the driver there, keep an interface to the user to set up, this interface program also acts as a bridge, the traditional killing firewall process to achieve the system can be controlled by the method has been ineffective, And that's not a good way to do it (think about how the administrator discovers that the icon for the firewall is missing). The following is a discussion of ways.
Prerequisites:
1. You have sufficient privileges on the remote system
2. You have from IPC or MSSQL or other access to the system, but because no matter with the IPC or MSSQL operation, is not as direct to get a cmd shell operation quickly and convenient
Method 1: Do not let the firewall load itself
Use various tools, Pslist,sc.exe,reg.exe, etc. to find out where the firewall is loaded, if it is loaded in run, use reg.exe to remove it, if the service is started, use Sc.exe to change the service manually or prohibit, and then restart the system, The firewall will not be able to load itself after the system restarts. This method does not allow the firewall to run, more easily be found by the administrator.
Method 2: Forcibly bind to the port allowed by the firewall
A system, if there are some services, such as Pcanywhere,sev-u,iis,mssql,mysql, the firewall will always allow these applications open ports are connected by the outside, The ports opened by these applications can be forcibly tied to the ports opened by the backdoor or Trojans themselves. For example, Pcnayhwere open ports or serv-u open ports can be re-bound, IIS and MSSQL can sometimes, but sometimes fail, unexplained. Because those applications are authorized by the firewall and trust, so the back door or Trojan will bind the binding, can avoid the firewall, but this method for those more advanced firewall, such as ZoneAlarm, or not, because the ZoneAlarm is not just a monitoring port, and monitoring is what program attempts to bind to a port, if the backdoor does not get ZoneAlarm authorization, the same can not be tied to that port.
Method 3:ICMP protocol or custom protocol for backdoor or Trojan
For some firewalls it works, but if the firewall is detecting that a program with a network connection is not trusted by a firewall, then this method will fail because the firewall allows the program to connect to the network based on whether the user has the program connected, rather than simply looking at the protocol or port.
Method 4: Plug the back door or Trojan to run in another process
Some programs in the system, 99.9999% of users will allow, like IE, if the user does not allow IE to connect the network, it is very rare to see. Because IE is generally a firewall trust application, so long as the backdoor program inserted into IE running, then the firewall is generally not blocked. As long as the firewall allows IE to connect to the network, then the backdoor plugged into IE can accept the external connection. This type of backdoor is usually loaded with DL into IE run, directly an executable program to inject a thread into IE can run, but far from the DLL injected so stable. This approach avoids most firewalls, but it sometimes fails for some firewalls that not only check out bound but also check in bound connections. But overall, this is a good and convenient way (has been tested).
Method 5: Insert the back door into IE to run and use a reverse connection
Above Method 4 has explained that IE is generally the firewall trusts the application, therefore inserts the backdoor into IE the operation already is a good method, because some firewalls also will check in the bound connection (from the outside to connect the system connection), can cause the method 4 to invalidate, Because the firewall is likely to notify the user whether to allow this connection, as long as the user refused, then method 4 is invalid.
But if the back door into IE to run, and let the back door automatically to the outside of a designated IP to connect (reverse connection), so that almost 99% will be successful, because the firewall is allowed IE to the external connection, so once the backdoor connected to the designated IP, The attacker would be able to get a shell under CMD.
Of the several methods mentioned above, method 1,2,3 the application surface is very narrow, and is not a good method; method 4,5 is a relatively advanced method, and administrators are generally very difficult to find (generally no one will suspect that their ie was plugged into the back door in the running, I believe most Internet users do not know that there are these methods ), and these methods are more difficult to detect.