This is a little program is able to detect if a rootkit is hiding a certian port from being detected as a port that listens on connection. The program will only work when the rootkit uses a port based listening backdoor.
Tool source:
/*
++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn't read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don't just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++
*/
#include <windows.h>
#include <stdio.h>
#include <Iphlpapi.h>
#include <winsock2.h>
void BindPort();
void main(int argc,char *argv[])
{
if(argc > 1)
{
printf("\t\tDetect Hidden Connections\n");
printf("\tWritten By: Kd-Team\n");
printf("\tThis is just a POC to show\n");
printf("\tHowto detect hidden tcp ports\n");
printf("\tUsually rootkits hide them\n");
printf("\tThis DOES NOT WORK WHEN:\n");
printf("\t\"setsockopt(SO_REUSEADDR)\" is set\n");
printf("\tRead readme.txt for more info\n");
printf("\tUsage: %s\n",argv[0]);
printf("\tWhen this output's ports that netstat doesn't\n");
printf("\tthat would theoretically be a indication\n");
printf("\tthat the port is hidden\n");
}
else
{
BindPort();
}
}
void BindPort()
{
WSADATA wsa;
SOCKET hLstnSock;
struct sockaddr_in ServAddr;
if(bind(hLstnSock,(struct sockaddr *)&ServAddr,sizeof(ServAddr)) < 0)
{
printf("port: %i bind() %d failed\n",i,WSAGetLastError());
closesocket(hLstnSock);
}
else
{
//printf("port %i succeeded\n",i); just uncomment this if you wanna know on what ports the bind succeeded.
closesocket(hLstnSock);
}
}
