Study on escaping from firewall Control System

With the continuous development of Trojans and backdoors, the firewall itself is also constantly developing. This is a spear and the relationship between shield and the firewall. It is of great significance to know how to escape from the firewall to control a system.
As a result of the development of the firewall, many firewalls are loaded in the form of drivers. The core part is the driver, which retains an interface for users to set, this interface program acts as a bridge at the same time. The traditional method of killing firewall processes to control the system is no longer valid, this is not a good method (think about how the Administrator finds that the firewall icon is missing ). here are some methods.
Prerequisites:
1. You have sufficient permissions in the remote system.
2. You have obtained system permissions from ipc, mssql, or others.
Is not as fast and convenient as getting a cmd Shell operation.

Method 1: do not allow the firewall to load itself
Use tools such as pslist, SC .exe,reg.exe to find where the firewall is loaded. If
In runtime, use reg.exeto delete it. If the service is started, use SC .exe.
Change the service to manual or disabled, and then restart the system. After the system is restarted, the firewall cannot load itself. This method prevents the firewall from running and is easily discovered by administrators.

Method 2: forcibly bind the port allowed by the firewall
In a single system, if there are some services, such as pcanywhere, sev-u, iis, mssql, mysql, etc., the firewall always allows the ports opened by these applications to be connected by the outside world, the ports opened by these applications can be forcibly bound to the ports opened by backdoors or Trojans. For example, the port opened by pcnayhwere or the port opened by serv-u can be re-bound. iis and mssql can be used sometimes, but sometimes fail for unknown reasons. Because those applications are authorized and trusted by the firewall, after a backdoor or Trojan forcibly binds the binding port, the firewall can be avoided, however, this method does not work for advanced firewalls, such as Zonealarm, because Zonealarm not only monitors ports, but also monitors which programs try to bind a port, if the backdoor is not authorized by Zonealarm, it cannot be bound to that port.

Method 3: backdoors or Trojans of icmp or custom protocols
This method is effective for some firewalls. However, if the firewall detects whether a program with network connection is trusted by the firewall, this method will become invalid, this type of firewall does not allow a program to connect to the network based on whether the user connects the program, rather than simply depending on the protocol or port.

Method 4: plug the backdoor or Trojan into other processes to run the program.
Some programs in the system will allow 99.9999% of users, such as IE. If a user does not allow IE to connect to the network, it is very rare. Because IE is generally an application trusted by the firewall, as long as the backdoor program is inserted into IE to run, the firewall will not be blocked. As long as the firewall allows Internet Explorer to connect to the network, the backdoors inserted into IE can accept external connections. This type of backdoor is generally loaded into IE by Dl, and can be directly injected into IE by an executable program, but it is far from
DLL injection is so stable. This method can avoid most firewalls, but for some firewalls that will not only check out bound, but also check in bound connection will sometimes fail. But in general, this is a good and convenient method (tested ).

Method 5: insert the backdoor into IE and use reverse connection.
The preceding Method 4 shows that IE is generally an application trusted by the firewall, so it is a good way to insert the backdoor into IE to run it, some firewalls will also check in bound connections (connections from the outside world to the system), which will cause Method 4 to fail, because the firewall may notify users whether to allow this connection, method 4 becomes invalid as long as the user rejects the request.
However, if the backdoor is inserted into IE and the backdoor is automatically connected to a specified IP address (reverse connection), almost 99% of the requests will succeed, because the firewall allows Internet Explorer to connect externally, once the backdoor connects to the specified IP address, attackers can get a Shell under cmd.

Among the methods mentioned above, the application of methods 1, 2, and 3 is narrow and cannot be regarded as a good method. Method 4 and 5 are relatively advanced methods, in addition, it is difficult for administrators to find out (generally, no one will suspect that their IE is being inserted into the backdoors for operation. I believe most Internet users will not know these methods ), these methods are more difficult to detect. Of course, there will be other methods. You can share them with anyone you know.