 I've been having a good DEF CON. Man, come on, how can you not have fun here? Well, that's true, but... Yeah, and one of the goons has an announcement, so... I've been asked to tell everybody that DT is in the dunk tank. DT is in the dunk tank, so if you would like to dunk him, he will be there. But unfortunately, you'll have to miss this talk. And from the look of the room, you probably don't want to miss this talk, so... I did my job now. You can have fun. Awesome. Thank you. Where are you talking about, Taylor? No. Okay, just so everyone knows, I'm Lenox. I run a site with a friend of mine called NoxFiles.com. It's basically a security research type of thing, and the first presentation released by us is about advanced Windows-based firewall subversion. So this is not going to be just, you know, oh yeah, run it over port 80. The firewall won't notice, hopefully type of thing. This is a lot more technical than that. There will be a lot of reverse engineering and payload development, all that fun stuff. So get ready. All right. Okay, first of all, a little background. There's a prevailing mentality throughout all of InfoSec and the corporate world that, you know, applications aren't secure, so we pretty much need to develop something to cover up for someone else's vulnerability. And many people believe that a firewall, you know, an Hips, I guess you could use the terms interchangeably to an extent, but their Hips and personal firewall kind of do a little bit of a different thing. Well, they do the same thing, but in a different way. So, but there's one small problem. If we manage to exploit one of these vulnerable systems, we still have execution control. We still can do whatever the user running at that, you know, whoever owns the process can. And attempts to stop us can be broken. It may be a little bit difficult, but they can be done. Now, some former research in this area, I just wanted to cite Frack 62, number 13, article 13 in there. It presents some standard methods for bypassing Windows-based personal firewalls. Now, what it mostly involves is injection of code into a trusted process. But as you'll see later, a lot of firewalls will detect this type of thing. It's kind of, if I recall, this issue is kind of old, but it's still good code, so I do recommend you all check it out. It presents some different methods of doing it, and yeah, it is pretty good research. Now, there's another thing on this about why more research is needed in this field. Why is it important? These personal firewalls, these HIPs-like systems are getting more and more common. They're pretty much moving to a point where firewalls, antivirus systems, and antispyware crap is going to be all in one product. One thing, not a suite. And not to mention, you have a whole lot more file format bugs these days. Just the WMF exploit, the Excel spreadsheet, vulnerabilities that we've seen in, I guess, the past month or two. And in an application like Word, it's kind of going to look funny if Word is trying to bind to a port. Now, maybe we want to get past that and not let the user know that that's happening or just be able to break out in general. Basically, we have to start breaking out of the cage, right? I haven't seen too many exploit frameworks or anything do this type of research, these type of payloads, or anything like that. It's kind of disappointing, but that's why we have this talk. So the tools needed to do this. Basically, you need a debugger. All IDBG is my choice. Many people prefer WinDBG. That's fine. A disassembler, not totally necessary if you have a debugger, but IDA Pro is a good choice for this. And an assembler. I prefer NASM, and that's what the Metasploit payload development kit uses, so I guess why not. And you're going to need a compiler also. And I chose Microsoft Visual Studio C++ 2005, and the Express version works, and it's free. So you know what, you can go home and compile my code and run it if it works on your system, and I'll cover that later. So the first firewall that we're going to go after is the Windows firewall. ServicePack 2 has brought us a, well, more improved firewall than the first one, but it's integrated into Windows and offers a little bit more control than the original. But there's a really big problem with this. Now, let me see. I'm going to bring up the MSDN library, have it on my system here. So let's search for a little string here. Exercising the Windows firewall. All right, let's just see what this comes up with. Okay, let's see what this... Oh, using the Windows firewall API, exercising the Windows firewall. Let's see what that does. Now, if my system would be fast, but okay. Now, Windows firewall initialized. Let's see if we get to something interesting here. Windows firewall is on. Turn on. Oh, and here's something funny. Windows firewall turned off. Looks like it might do something that maybe people don't want it to do. So as you can see here, Microsoft has provided a full API or a... Well, it's through a common interface that allows you to do all sorts of fun stuff. So you can do things like enabling a service, basically allowing one application out. Or, you know, here's my favorite method. Put firewall enabled. Yeah, so you can just put firewall enabled, variant false, and what do you think that does? So it can, you know, arbitrarily authorize applications to basically, you know, be allowed out through the firewall. And basically, the shell code here will basically initialize a COM object. Let me see if I can get the code up here. So you can all see the C code that I wrote. Okay, I think it's an FW killer. To remember which one this was because the C code is not as important as the actual assembly payload. Okay. So basically, what you're going to do is initialize COM via co-initialize X. And then you're going to initialize a COM object, which I believe is a net FW manager. And then that has a method called get local policy. And that FW policy also has a method called get current profile, which basically that contains a method called put firewall enabled, and we just set it to variant false. And that works. Sounds kind of funny, doesn't it? I mean, this shouldn't be that easy in my opinion. Now, granted, you do have to run this as an admin to get it to work, there are a lot of ways to escalate your privileges inside of any operating system. You know, hard on the outside, somewhat more mushy on the middle. So, demos, they're important. If you don't do them, people look at you like you don't know anything. So that, all right. Basically, I wrote up a payload for the Metasploit framework. Yes. Okay, great. You're all able to see that fairly well. I'm not sure if I can get the font any bigger on this because it's in a virtual machine. But the bottom line, who all knows what the Metasploit framework is? All right, good number of you. Just for those who don't know, the Metasploit framework provides an automated way to create and test exploits along with developing payloads for them. And just so happens, the developing payloads is kind of what I was doing here. So, it proved to be quite useful. All right. Now, I'm just going to bring up the Metasploit console here if it will load. Now, there's a new version that's written in Ruby. I didn't have too much getting, too much luck getting this payload to work with that. There are just some kind of, there must have been some kind of quirks in there. HD had been fixing some stuff. And I hear it's, there are a lot of the bugs taken out of the Ruby version, which is 3.0. But it seemed that 2.6 was the one that I had the most luck with. So, that's what I'm going to stick with. Now, to deliver this payload, the exploit that I'm going to use is the WMF exploit. And why this is important is if you think about it, there are a lot more cross-site scripting attacks are happening these days. You know, redirecting the user to, you know, some other arbitrary site, you know, getting data, you know, you have all this Ajax stuff where, you know, basically you're able to funnel data in without the user knowing. Fun stuff like that. If you all had seen Billy Hoffman's talk at Black Hat about that, that would be a little bit more informative on the subject. But cross-site scripting is a lot bigger. And you have a lot of L users who have the tendency to click on any link if it kind of looks like it's trustworthy, even though it has, like, a script tag at the end and it says, I pwned you? I don't know. Maybe that's just me. Okay. And I'll set the payload. This is a bind payload, by the way, to demonstrate the fact that it seems that the Windows ICF is very tuned to basically blocking applications from binding. It doesn't do as much against stuff connecting out. But the reason that it's important to be able to disable this is what it will do is prevent you from accessing a lot of network resources. Now, if you want to be able to break into one system and own all the boxes on the network, you will want to be able to do that. And, you know, through SMB, you know, be able to browse the shares, all that fun stuff. So it is an important thing to be able to do. Okay. And exploit. So now we have a bind handler. Well, it's not a bind handler. It's basically a makeshift HTTP server. And, in fact, the 2.6 can't actually shovel a shell on this. But so what I just did is, you know, use Netcat like normal to gain that. Okay. That's 28.120. That's a default port that I'll be running on. So, okay. Now, let's see how usable this VM is because the screen resolution got kind of mangled in this whole process of setting it up. Now, okay, first of all, go to the control panel, see if the firewall is actually enabled here. Scroll up a little bit. Yep, it's on. So, and not to, I'm just going to leave, don't allow exceptions off because it really doesn't matter in this case. So, I'll go here and I believe it was, I believe that was 128. Yeah. So, okay, so it's going in. Now, you should see an image pop up here. Now, oh, fun. Do I want to keep blocking this? Okay. Now, I wonder if I'd set the payload correctly because it shouldn't do that. But to be fair, this is why I have flash demos of this stuff because, all right, yeah, sorry about this. I just figured that there would probably be some script during this, but you will be able to see how truly powerful Windows XP firewall foo is. Okay. Oh, man. God. All right. So, let's see here. Can you read that at all? Now, you basically get a general outline of what's going on. So, as you can see, I'm enabling the firewall right there. And then, okay, go back to my terminal on my Linux system. And I'm launching the MSF console program right there. So, basically, I'm doing the same thing that I was before, but this time it will work. So, gull of live demos. Now, I'm just entering the exploit to use right here. Excuse me? Yes. And the main reason I did that was basically the way you know that this is working is if you do a bind one and you don't get that message that you saw on the other part. Now, I don't know. It was an act of God or something. I must have done something really bad last night. But, okay, now why is that running so slow? All right. Well, hopefully it will get a bit faster here. Again, God love live demos. Let me see. A lot of disk activity because I have this virtual machine stuff running. All right. I think I need to like close some things here. Like the MSD and library. That needs to go. Oh, fun. My system got locked up. Windows is exacting its revenge against me. That's, you know, it has a soul and all that. So, you know, you have all sorts of fun stuff going on there. Close that big memory hog. Yeah. Very robust as you can see. Now, okay. Now it seems to be running a lot faster. So, okay. Yeah. Now I'm doing exploit right there. So it's going to start the HTTP server. What? I just killed you. Good Lord. Okay. Now, I'm waiting for the connection on and then we'll go back to the VMware system right here and then run and then basically I'm running iExplore and then the URL of that malicious site. So just say some L user, you know, happened to click on that and some cross site scripting of vulnerability. So basically it's going to be pushed down. It'll run and it will say, as you can see, your firewall got disabled. So, therefore, if you'll wait for it here, I'm netcadding to the port 444, which is the default port set up in Metasploit for which port to mine to. And we have a shell, as you can see. So it may have said something to the user, but we still owned them. So, I mean, you could basically shovel in your own payload that would, you know, do something like load a root kit. So, oh, all of a sudden, you know, it doesn't really matter that they know anymore. They're still fucked. So, all right, let's see here if I can. Okay. Just got fun stuff here. She's VMware. Come on. It's supposed to be reliable. Sorry for this, but all right. Let's see. That should be in full screen. Oh, well, now we have this fun up here. So if you can ignore that, everything that can go wrong will go wrong. So that's just one of the rules here. So, the next firewall that we're going to go after is the zone alarm personal firewall. And this is actually a little bit of an older version compared to the new one. And I will discuss the new one. Now, this is one of the main personal firewalls used. You know, everyone talks about zone alarm all the time. And these personal firewalls have a hard job because they have to defend from threats locally and remotely, a.k.a. people like me. So, one of the most important components in this firewall is called True Vector. It's basically a driver and it's basically, you know, the network part of it. And zone alarm is really pretty much a GUI on top of it. This is basically a beneficial root kit to your system. And it's basically what keeps it safe from all sorts of local threats and what have you. And it's quite aggressive about defending itself, as you will see. So, reversing zone alarm. Our plan of attack here, we need to get right access to the ZLClient.exe process and inject code into it that will disable the firewall. We need to run that code and make sure it's done quasi stealthly so then you don't have all sorts of, you know, flashing buttons come up on the screen and what have you. And I'm going to call it ZRooter. So first, we have to find the process. We need to find ZLClient.exe's PID, process ID. Now first, we'll run enum processes to get a process list and then use open process with the parameter of process query information to be able to basically enumerate through certain, like the actual name of the executable. So then we'll use enum process modules to get the module handle of the process and get module base name A to get the process name. Then we can just continually string compare this to ZLClient.exe and when we hit that we'll know that we have the right process. Now there's a big problem here. True vector for us is a pest. It behaves, as I said before, it behaves like a root kit. It hooks a lot of system calls and this is why you cannot just do a terminate process on the firewall. Although I think if you follow the route that I've used to this you actually can do a terminate process on the firewall but it's pretty much going to kill all network activities so you don't want to do that. That's one of the reasons I took the route that I did. The most important call that it hooks, at least for us, is NT open process. If that's hooked by zone alarm and it's doing what it does, preventing us from trying to attach to it, we will not be able to get a handle to ZLClient.exe and our code can't run. We won't be able to inject any code into the process and that's a very big problem because you're going to shut it off. So enter the ZARooter driver. Now the funny thing in this version of zone alarm, true vector or zone alarm, whatever it is doing in the back end, does not mind if we load a driver. Ooh, root kit, hello. So we can write to the system service dispatch table and this mean we can execute code on the same level as true vector. So guess what, we can unhook every system call that it hooked. Yeah. So basically here we have the sudo root kit because it doesn't really do anything malicious other than unhook a system call and no one's really going to notice that but actually you can but it's like, for a normal user, even if they got their hands on one of these programs that you can view the system call table, it's like, oh no, there's one less hook in there so I'm less vulnerable, something like that. So basically an outline of how this will work will create a memory descriptor list for the system service dispatch table which is basically using this decal spec right here. Now that's not the most stealthy way to do that but if you read rootkit.com you'll find out some other ways to make this a bit more stealthy. And then we'll unhook NTOPEN process and replace it with the address of the original syscall. Well, the original code that ran it. So it turns out that Zonalarm didn't actually, you know, rip out the code of that old system call. All it did was redirect it to its own stuff. So it's still there, you just have to find the address of it and use it. So basically what you'll have to know is you'll have to know the syscall number and the address and that differs between service packs and I know my code isn't the most portable after you see what's going on but you can make it portable. So I'll discuss that later though. And basically we have a macro here that's called hook syscall. Basically it takes a syscall number and an address and it'll set it to that. And I can actually bring up the code on here. If my computer doesn't explode, just please pray that it doesn't because that was kind of odd last time. All right. You go back to... Go to ZARooterDriver here. All this code will be up on the NoxusFiles website by the way after the con. So, okay, let me see ZARooter.C. And of course you have to edit these with Vim because if you don't use Vim you're not lead, of course. It's just a rule. But anyway, as you can see, some of this is kind of messy because I was kind of experimenting about which calls to unhook and what I could do with that. But I basically commented out the ones that don't really matter for our purposes. So you basically have an array of, you know, what the address we want to set the hooked syscall to and basically an array of syscall numbers that we want to unhook. So basically right here it will iterate through all of this and then it will say if you have a debug event viewer on your system you can actually see, you know, status unhooking syscall number blah with address of, you know, blah. So it will unhook the syscall and basically we'll win. So that's the important thing. So now we have to find a way to shut it off. Now this takes some reverse engineering right here and basically after a while of grinding through code you find that there's this little function at this hex location right here and it seems to be a pretty reliable address so it doesn't change a whole lot or at all that I've seen. And basically the funny part is if you can see TVTF force shutdown right there, yeah. So anyway, basically if you pass it a value of 4 it will tell true vector basically to, you know, screw off and, you know, don't do anything so that's pretty fun. So we can call that via code that we inject into the firewall. Now if you try to do this is actual, if I recall correctly, methods that are basically at a lower level than this are in some of the zone alarm DLLs but don't try to call them because it pretty much won't work as some sort of authentication stuff that basically knows whether you're running it actually from the firewall or not. So problem number two, we have a lot of alerts that are going to pop up. You know, that sucks. We don't want the user to know that we're actually rooting them. So you have icon changes. You have a text box like right here. You have that nice, you know, message system error, please reboot. Maybe that would, you know, alert people that there's something a little bit wrong and all that fun stuff. So we basically need to get rid of these. Now the first one is there is an icon change. As you can see right there, there's a big X and then it will say true vector security service is shut down. We don't want the user to see that because they might wonder why big red X is in the bottom of their system although with some users these days it may not matter but we still want to be cautious here and do what we can. So what's kind of funny is shell notify icon basically takes two parameters and one is like the message it's going to send and this notify icon data structure right here. Now I didn't research into all what that did but basically the bottom line is it changes the icon and we don't want it to. So we can pretty much replace that call with add ESP8 after it's pushed to the parameters and there is no more call because if, do any of you know how like the stack works when calling a function like an assembly language? Anyone? Okay, well the bottom line is things get pushed onto the stack kind of like you stack, you know, you stack plates and the front like where the top plate is that's where this register called ESP is and indirectly it will reference all of the arguments from that so all this does is pretty much resets that pointer you know from the top of the plate or the stack depending on how you want to think of it further back so it pretty much doesn't matter that they had these arguments for it so basically we just killed that call so we win. Now the screen text uses a few resource strings and the .rsrc section of the portable executable for those of you who do not know the PE is the format you know like you have an exe file you run that that's PE so basically you see all these like system error error messages and what not well we can just overwrite them with our own sounds good so and it uses draw text to write this to the screen it's a I believe GDI call I think it's in user32.dll but that's kind of not important right now so what we're going to do is have a user mode hook on draw text now because we want to see whenever it's going to try to spit these nasty messages out now what we're going to have to do first of all is pretty much preserve the program state at that moment we can use these opcodes right here push A, push FD, pop A basically what that does is it saves the it saves the state of all the registers and pushes it onto that stack you know the plate thing so and then also it does this for a flags register too and basically that has some info about whether you're going to you know jump this way jump that way but the bottom line is we're saving the program state does anyone understand that? okay good now what we're basically going to do is where you see this move ebx, esp plus 2c after the push add and push FD that's basically looking at one of the arguments of draw text so it's basically seeing what text is going to be written and it will check it for all now I think I forgot to explain the reason why I did this but if you see here that's red system error please reboot that's all in red now if you notice when it's running normally let me see if I have it running in the virtual machine here oh no okay oh that's alright yeah I have that basic reminder there but you saw it work so that's important um wait that's not going to show it either I'll just run an alarm on this come on zoom out alright now if we can wait while this program runs and it will start up but the bottom line is it's all in green so we don't want to have flashing red messages everywhere that's going to be a problem now I'll come back to that that's going to take forever to load with the amount of stuff I'm running on this so basically we're going to check for all because you know that's the message we wanted to say all systems are active that's pretty much what what the original message was and that's what we did with the overriding in memory now um pretty much what it's going to do is if it's there it's just going to run set text color to set the text to green and then we basically do the rest of the stack setup and then we win now there is one issue here how are you going to transport that driver over to the infected the exploited user system now one approach here is to include this as a resource in a DLL now the nice thing about the Metasuite framework is that guy named Scape wrote this little payload that did DLL injection basically over TCP remote DLL injection now if you've ever seen someone I don't know get a remote desktop display after running an exploit through VNC on someone else's box that's it basically you can transport a full program no assembly language programming required in a DLL and they'll run it unfortunately um my DLL had some problems with that like it worked in the oh okay here we are allow that so um just to show you again like with the green text it's right here see all systems active so yeah a bit schizophrenic but that's okay um and so what I was talking about is transporting this driver this malicious quasi-malicious driver over to the other person's machine so what we can do is include this as a resource like in that .rsrc section that you saw before we can throw files in that and all sorts of fun stuff so we can use the find resource function load resource and basically write it to the disk and then uh use the um system control manager to load the driver now somehow during this we're going to have to coerce this program into executing this code fortunately windows offers some uh process um I guess you would call it interaction functions basically the interfaces that you use for writing a debugger are the ones you kind of use here and come to think of it what this is really like is do all of you know what a loader is with software piracy? like if you um if the program is packed and you want it to decrypt itself and then inject the code later what you can do is write a loader and so basically it will use write process memory and all this other stuff to basically wait a certain amount of time inject the code to disable like your serial checker what have you end of the process and um then it will be okay it's more intelligent than others but it's not that important here because we're not doing dealing with any obfuscation or encryption but um this shutdown code that I just dimmed that I was talking about before remember if I I told you that past this a parameter before it shuts the firewall off deal will be I basically went through the executable and found a whole bunch of slack space to write it into so it's going to be pretty reliable we won't have to make any position independent in this case like because jumps and stuff like that to other memory other memory addresses can be thrown off depending on where you are in memory so I pretty much picked a static one and it's worked so uh don't question it so um now what we're going to do is run this one function called create remote thread basically it does what it says it creates a remote thread you basically pass it the starting address of where you want to your code and then it will run it sounds fun doesn't it I mean just running code in other applications god it's awesome so um we do this after we've changed all the strings and injected uh the hooks like on draw text and what have you so we're going to have a demo and this will hopefully work a lot better than the last one because I've tested it on here and by god you know it needs to work but I have a flash demo in case it doesn't just so you know um now what this MetServe test thing is it's a program that the Metasway people use to test their thing called the Meturpreter how many of you know what the Meturpreter is okay that's a few people but for those of you who don't know basically the Metasway people had this idea to throw something like to put in layman's terms a hackers command prompt into your system remotely and it will do this over DLL injection and to test their payload of course what they would do is write a test program and to load it so that's what they did and basically I'm too lazy to edit their code so it will pop up an alert saying that it's binding to a port and it's completely unnecessary but it was just for the way they have it set up is you want to be able to actually view what's going on and but with this it's pretty much a blind shove it in and run so when it's actually it's going to listen on a certain port as you can see I've already ran this so it's listing on port 31337 you know because of course that's a neat thing to do and once you connect to that port however it'll just run the DLL so as you can see there this is just a whole test thing it doesn't really affect the performance of the DLL so we're going to run this okay start that running it's going to listen yeah as see like I told you allow that okay now I will basically I'm going to do this a getaway and pretty much open up a web browser and tell it to go to that port so um we'll run that and it will come up and oh you got owned you know gonna have a message box there so that run two times and so then oh look at that your firewall just got disabled and guess what doesn't really say much about it much here about what just happened it's kind of fun isn't it and in fact one fun thing is that if you're waiting for like say you want to ping someone right and you run the ping command and then it will say you know allow or disallow this traffic if you run this that alert will stay up but it won't matter so the user is like oh I'm going to be you know the big man now you know click deny well it's not really going to do anything so that was the demo there so I didn't include like getting a shell on it but I'm sure all of the bright minds out here can figure out how that works so I went in after we've basically reversed these two firewalls and done some pretty you know technical in depth methods of breaking them right so I tested some other firewalls you know with basically some general tests if we could inject code into another process and have it run I did this in a very ghetto fashion what I basically did is opened up internet Explorer and Ali dvg used a metasploit payload generation program to generate a payload and with some said magic I could extract it and paste the payload in so it would just you know basically run the shell code but yeah so what it'll test for that and also the ability to debug the main firewall process obviously if you as you saw in this if you can debug the main firewall process you pretty much owned it so and also whether assist calls were hooked in an obvious manner basically because the whole idea is that if they were then you could use the same driver that I wrote to and hook them so and yeah basically the ability to load drivers too because that's important you know you don't want root kits to be able to be loaded on your system wait I forgot to change okay so the first one we're going to talk about is Kerio now the main process can be debugged so it kind of I haven't done any actual like I'm going to turn this off and here's the DLL for it like I did for zone alarm but if the main process can be debugged it's safe to assume that we can turn it off okay so but to its credit it does detect code injection into trusted processes but it didn't seem to detect a driver load either so yeah Komodo this is another popular firewall I've seen and the main process cannot be debugged it has non-obvious hooking methods and it also detected code injection into a trusted process but here's the kicker it didn't seem to be able to detect a driver load so and the latest zone alarm pro and actually this is the latest version and it's learned its ways from my previous DLL it does detect code injection into a trusted process you cannot debug the main firewall process and it does detect driver loads and that's one of the few if only firewalls I've seen that does that so props to zone alarm for doing this implementing this mechanism and but it does seem to have the same hooking mechanism as before so the idea is if you're able to get kernel mode code execution you can still disable it pretty simply so now let me go back here just a minute and what more needs to be done oh I was supposed to talk about that after zone alarm I'm sorry but the thing with my zone alarm payload or DLL is basically that it really needs more portability to it if you run this between different service packs or patch levels even ill blue screen because it would basically tell that the hook on NT open process to jump into an area of memory that well it didn't have the right code at it because it changed so to be able to have basically more dynamic resolving of the functions that are used like that set text color if you run it as is now you can have basically jump errors I didn't do any arithmetic on calculating jump offsets and whatnot so that's going to break your program and more intelligent generation of the jump hook that was placed on draw text we could you know make it green and whatnot okay so conclusion things to be learned here firewalls are just applications and they're not really the end all of security somehow some way you're going to be able to break it and subverting them will only increase in importance later because more and more people are going to be running it more and more people are going to be dependent on it you know you have Vista that has hips like features in it as well so you're going to have some more code that's going to come out for that by various researchers and so pretty much this is the end of the speech but thanks to hdmore who helped me write the the windows firewall disabling payload poncho of course helped me with a noxis files website and optics I know you're not here but thanks anyway you've had some great insight to stuff so if you want the code should be up at noxisfiles.com later in the day like about an hour or two so get the code you know play around with it test it out everything like that so that's the end any questions any questions yeah and use the mic please I have a question I saw how you were I'm sorry I'm not that person with disabling all the alerts and stuff what about the actual disabling the windows alerts the popups that is done via the WMI interface and I imagine that if I took a look and saw actually what that did I would be able to kill it because I know there have to be API calls for doing this for anyone who knows about that type of thing feel free to download the code implement that and then contribute to it so that's my charge for you guys thank you the Symantec firewall did you experiment with that no I did not I basically took those three firewalls I kind of added that in at the last minute so I didn't have the chance to get actual firewalls that costed stuff because of course no one wants to pirate here right just saying yeah next question curious on your experience and what you found for disabling the firewall and getting at people since they're probably behind Nat is just doing a reverse shell well what was the question again behind a Nat I mean if you were doing a reverse shell or reverse metterpreter pretty much that would subvert the Nat now wouldn't it yeah so are you wondering about the bind that I did with the XP firewall that was basically to show because the Windows XP firewall it pretty much blocks the bind that's what it's most concerned with more than anything else and so by having you be able to get a bind shell that shows for certain that it was disabled so that was basically a proof of concept right there thank you I was just curious to see if this presentation was on the DEF CON CD yes it is awesome the last slides I think about the other personal firewalls on there that I kind of smoke tested a little bit are not but I mean that's not the most important thing in the world but you'll be able to download them from NoxusFiles.com so sweet, you rock thank you any other questions no I'm currently not wearing pants yeah alright I hope you've had a great DEF CON and will continue having a great DEF CON thanks for coming