Author Topic: Close TPC/IP connections with remote ip and port  (Read 6830 times)

0 Members and 1 Guest are viewing this topic.

Offline CorruptedByte

  • Serf
  • *
  • Posts: 23
  • Cookies: 2
  • Lët Thë Hãçkïng Bëgïn
    • View Profile
    • Underc0de
Close TPC/IP connections with remote ip and port
« on: December 30, 2011, 07:45:10 pm »
hi, how can i close the connections from the netstat information? in the netstat information appears connections like this:


Conexiones activas

  Proto  Direcci¢n local        Direcci¢n remota       Estado
  TCP    0.0.0.0:135            CorruptedPC:0          LISTENING
  TCP    0.0.0.0:445            CorruptedPC:0          LISTENING
  TCP    0.0.0.0:1025           CorruptedPC:0          LISTENING
  TCP    0.0.0.0:1026           CorruptedPC:0          LISTENING
  TCP    0.0.0.0:1027           CorruptedPC:0          LISTENING
  TCP    0.0.0.0:1028           CorruptedPC:0          LISTENING
  TCP    0.0.0.0:1030           CorruptedPC:0          LISTENING
  TCP    0.0.0.0:1031           CorruptedPC:0          LISTENING
  TCP    0.0.0.0:3306           CorruptedPC:0          LISTENING
  TCP    0.0.0.0:5357           CorruptedPC:0          LISTENING
  TCP    127.0.0.1:1029         CorruptedPC:5354       ESTABLISHED
  TCP    127.0.0.1:1035         CorruptedPC:27015      ESTABLISHED
  TCP    127.0.0.1:1786         CorruptedPC:1787       ESTABLISHED
  TCP    127.0.0.1:1787         CorruptedPC:1786       ESTABLISHED
  TCP    127.0.0.1:1790         CorruptedPC:1791       ESTABLISHED
  TCP    127.0.0.1:1791         CorruptedPC:1790       ESTABLISHED
  TCP    127.0.0.1:1940         CorruptedPC:5354       ESTABLISHED
  TCP    127.0.0.1:1944         CorruptedPC:5354       ESTABLISHED
  TCP    127.0.0.1:1945         CorruptedPC:5354       ESTABLISHED
  TCP    127.0.0.1:1952         CorruptedPC:27015      ESTABLISHED
  TCP    127.0.0.1:5354         CorruptedPC:0          LISTENING
  TCP    127.0.0.1:5354         CorruptedPC:1029       ESTABLISHED
  TCP    127.0.0.1:5354         CorruptedPC:1940       ESTABLISHED
  TCP    127.0.0.1:5354         CorruptedPC:close-combat  ESTABLISHED
  TCP    127.0.0.1:5354         CorruptedPC:1945       ESTABLISHED
  TCP    127.0.0.1:27015        CorruptedPC:0          LISTENING
  TCP    127.0.0.1:27015        CorruptedPC:1035       ESTABLISHED
  TCP    127.0.0.1:27015        CorruptedPC:1952       ESTABLISHED
  TCP    192.168.1.108:139      CorruptedPC:0          LISTENING
  TCP    192.168.1.108:1905     channel-ji-13-01-snc7:https  ESTABLISHED
  TCP    192.168.1.108:1953     a63-80-4-50:http       CLOSE_WAIT
  TCP    192.168.1.108:2350     www-14-05-prn1:https   TIME_WAIT
  TCP    192.168.1.108:2591     nuq04s07-in-f11:http   ESTABLISHED
  TCP    192.168.1.108:2597     pz-in-f120:http        ESTABLISHED
  TCP    192.168.1.108:2600     www-15-06-prn1:https   ESTABLISHED
  TCP    192.168.1.108:2614     nuq04s07-in-f2:http    ESTABLISHED
  TCP    192.168.1.108:2627     nuq04s07-in-f12:https  ESTABLISHED
  TCP    192.168.1.108:2638     nuq04s07-in-f10:https  ESTABLISHED


 and others with the remote ip, how can i close the connection with the remote ip and the port?

I need program this in c #, any idea?


thanks  ;)

Offline iAmLuFFy

  • Knight
  • **
  • Posts: 226
  • Cookies: 6
  • i aM MoDiFiEr nOt A cReAtOr
    • View Profile
Re: Close TPC/IP connections with remote ip and port
« Reply #1 on: December 30, 2011, 08:02:35 pm »
i Found this on net.


 
Code: [Select]

TcpListener listener = new TcpListener(IPAddress.Any, Port);
System.Console.WriteLine("Server Initialized, listening for incoming connections");
listener.Start();
while (listen)
{
     // Step 0: Client connection
     TcpClient client = listener.AcceptTcpClient();
     Thread clientThread = new Thread(new ParameterizedThreadStart(HandleConnection));
     clientThread.Start(client.GetStream());
     client.Close();
}
iAmLuFFy

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Close TPC/IP connections with remote ip and port
« Reply #2 on: December 30, 2011, 08:07:15 pm »
i Found this on net.


 
Code: [Select]

TcpListener listener = new TcpListener(IPAddress.Any, Port);
System.Console.WriteLine("Server Initialized, listening for incoming connections");
listener.Start();
while (listen)
{
     // Step 0: Client connection
     TcpClient client = listener.AcceptTcpClient();
     Thread clientThread = new Thread(new ParameterizedThreadStart(HandleConnection));
     clientThread.Start(client.GetStream());
     client.Close();
}

Thats a server example.


Not sure if there is an easy way doing this, awaiting response.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: Close TPC/IP connections with remote ip and port
« Reply #3 on: December 30, 2011, 08:11:04 pm »
With netstat -b (run as administrator) you get also which exe is owning that connection. Get that output (pipes), get process name, kill it (OpenProcess, TerminateProcess).
Edit/ with netstat -o you get process pid directly. No need to find it by name.
« Last Edit: December 30, 2011, 08:13:40 pm by ca0s »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Close TPC/IP connections with remote ip and port
« Reply #4 on: December 30, 2011, 08:13:54 pm »
With netstat -b (run as administrator) you get also which exe is owning that connection. Get that output (pipes), get process name, kill it (OpenProcess, TerminateProcess).

That will kill the entire process? Thats rather unpractical.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: Close TPC/IP connections with remote ip and port
« Reply #5 on: December 30, 2011, 08:16:40 pm »
Oh, just kill the connection? Well, then you have to code a DLL, inject it in the process, get open file descriptors, check which of them are sockets, check if socket is connected to desired IP, and call close.
Kinda more complex. No time now, byebye.
« Last Edit: December 30, 2011, 08:17:05 pm by ca0s »

Offline CorruptedByte

  • Serf
  • *
  • Posts: 23
  • Cookies: 2
  • Lët Thë Hãçkïng Bëgïn
    • View Profile
    • Underc0de
Re: Close TPC/IP connections with remote ip and port
« Reply #6 on: December 30, 2011, 08:31:55 pm »
yes thats the other solution kill the proccess of the connection like kill the process of a malware or a msn client or other tpc/ip connection. waiting for other answers, thanks

Offline noob

  • Knight
  • **
  • Posts: 202
  • Cookies: 29
    • View Profile
Re: Close TPC/IP connections with remote ip and port
« Reply #7 on: December 31, 2011, 08:37:25 am »
X-netstat!

Offline s3my0n

  • Knight
  • **
  • Posts: 276
  • Cookies: 58
    • View Profile
    • ::1
Re: Close TPC/IP connections with remote ip and port
« Reply #8 on: December 31, 2011, 09:44:47 am »
Get CurrPorts, it can do all of that with a small protable executable :)



http://www.nirsoft.net/utils/cports.zip
Easter egg in all *nix systems: E(){ E|E& };E

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: Close TPC/IP connections with remote ip and port
« Reply #9 on: January 01, 2012, 02:46:51 am »
Meh, I have not been able to fully do it. This is the result.

Exe:
Code: [Select]
/*
  Connection Killer v0.1
    Closes connections of selected process mathing port and ip
    By ca0s [st4ck-3rr0r.blogspot.com] [ka0labs.org]
*/

#include <stdio.h>
#include <windows.h>
#include <Tlhelp32.h>

void error(char *err);

HANDLE myProc=NULL;

int main(int argc, char *argv[])
{
    int rPort = 0, lPort = 0;
    char *process = NULL, *ip = NULL;
    int i=0;
    FILE *args;
   
    printf("-- Connection killer [ca0s] --\n");
    char dll[]="KillConnect.dll";

    for(i=1; i<argc-1; i++) {
      if(strcmp(argv[i], "-lp") ==0) lPort   = atoi(argv[i+1]);
      if(strcmp(argv[i], "-rp") ==0) rPort   = atoi(argv[i+1]);
      if(strcmp(argv[i], "-p")  ==0) process = argv[i+1];
      if(strcmp(argv[i], "-ip") ==0) ip      = argv[i+1];
    }
   
    if(!process) {
      printf("Usage: %s -p PROCESS -rp REMOTE_PORT -lp LOCAL_PORT -ip REMOTE_IP\n", argv[0]);
      printf("If argument left blank, assuming ALL. Process cannot be left empty.\n");
      return -1;
    }
   
    printf("[/] Killing connections from:\n");
    printf("\tProcess: %s\n", process);
    printf("\tLocal port:  %i\n", lPort);
    printf("\tRemote port: %i\n", rPort);
    printf("\tRemote IP:   %s\n", ip);

    HANDLE processList=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pInfo;
    BOOL st=TRUE;
    pInfo.dwSize=sizeof(PROCESSENTRY32);
    Process32First(processList, &pInfo);
    int myPid=0;
    do {
        if(strcmp(pInfo.szExeFile, process)==0)
        {
            myPid=pInfo.th32ProcessID;
            break;
        }
        st=Process32Next(processList, &pInfo);
    }
    while(st!=FALSE);

    // Open process
    printf("[+] Opening process %i\n", myPid);
    myProc=OpenProcess(PROCESS_ALL_ACCESS, FALSE, myPid);
    if(myProc==NULL) error("[-] Error opening process.\n");
    else printf("[+] Process opened.\n");
   
    // Reserve memory for argument (our DLL's name)
    LPVOID dirToArg=VirtualAllocEx(myProc, NULL, strlen(dll), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if(dirToArg==NULL) error("[-] Error allocating arg memory.\n");
    else printf("[+] Arg memory reserved (%i bytes).\n", strlen(dll)); 
    // Write dll's name / handle in reserved memory
    SIZE_T written=0;
    if(WriteProcessMemory(myProc, dirToArg, (LPVOID)&dll, strlen(dll), &written)==0) error("[-] Error writing memory.\n");
    else printf("[+] Memory successfuly written (arg %i bytes).\n", written);
   
    // Write arguments to file
    args = fopen("args.txt", "w");
    if(!args) error("[-] Cannot create text file for arguments. Run me with elevated privileges.\n");
    if(lPort) fprintf(args, "L%i\n", lPort);
    if(rPort) fprintf(args, "R%i\n", rPort);
    if(ip)    fprintf(args, "I%s\n", ip);
    fclose(args);
   
    // Create thread in LoadLibrary()'s address
    HANDLE rThread=CreateRemoteThread(myProc, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary("Kernel32.dll"), "LoadLibraryA"), dirToArg, 0, NULL);
    if(rThread==NULL) error("[-] Error creating remote thread.\n");
    else printf("[+] Remote thread created.\n");
   
    CloseHandle(myProc);
    //unlink("args.txt");
    printf("[+] Selected connections should have been killed.\n");
}

void error(char *err)
{
     if(myProc!=NULL) CloseHandle(myProc);
     printf("%s (%d)", err, GetLastError());
     exit(0);
}

DLL:
Code: [Select]
/*
  Connection Killer v0.1 DLL
    Closes connections of selected process mathing port and ip
    By ca0s [st4ck-3rr0r.blogspot.com] [ka0labs.org]
*/

#include <windows.h>
#include <process.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>

int getLine(char *linea, int len, FILE *file)
{
    memset(linea, 0, len);
    char *buf=(char *)malloc(sizeof(char));
    memset(buf, 0, 1);
    int count=0;
    do
    {
        fread(buf, 1, 1, file);
        strncat(linea, buf, 1);
        count++;
    }
    while((!feof(file)) && (*buf!='\n') && (count<len));
free(buf);
    if((!feof(file)) && (count<=1))
        return 1;
    else return count-1;
}

BOOL doShit(void)
{
    char name[MAX_PATH], line[255];
    char *a, *b;
    struct sockaddr_in raddr, laddr;
    struct linger slinger;
    int i;
    long n;
    FILE *log, *args;
    int len=sizeof(struct sockaddr_in);
    BOOL isSock=FALSE;
   
    int rPort = 0, lPort = 0;
    char *ip = NULL;
    slinger.l_onoff  = 1;
    slinger.l_linger = 0;
   
    log = fopen("log.txt", "a");
    if(!log) return FALSE;
   
    GetModuleFileName(NULL, name, MAX_PATH);

    fprintf(log, "[+] Attached to %s PID: %i\n", name, getpid());
   
    // Get arguments
    args = fopen("args.txt", "r");
    if(!args) {
      fprintf(log, "[-] Cannot get arguments.\n");
      return FALSE;
    }
    i=getLine(line, 255, args);
    do {
      if(line[0] == 'I') { // IP
        ip = (char*)malloc(i);
        memset(ip, 0, i);
        strncpy(ip, line+1, i-1);
      }
      if(line[0] == 'R') { // Remote Port
        rPort = atoi(line+1); 
      }
      if(line[0] == 'L') { // Local Port
        lPort = atoi(line+1);
      }
      i=getLine(line, 255, args);
    } while(i>1);
    fprintf(log, "[+] LP: %i | RP: %i | IP: %s\n", lPort, rPort, ip);
    for(i=0; i<256; i++)
    {
      isSock = FALSE;
  if (getpeername(i, (struct sockaddr *)&raddr, &len)!=-1) isSock=TRUE;
  if (getsockname(i, (struct sockaddr *)&laddr, &len)!=-1) isSock=TRUE;
  if(!isSock) continue;
  a=inet_ntoa(raddr.sin_addr);
  b=inet_ntoa(laddr.sin_addr);
  if ((ip) && (strcmp(ip, a)!=0) && (strcmp(ip, b)!=0)) continue;
  if( ((rPort!=0) && (htons(rPort)!=raddr.sin_port)) && ((lPort!=0) && (htons(lPort)!=laddr.sin_port))) continue;
      fprintf(log, "[/] Found %i\n", i);
      setsockopt(i, SOL_SOCKET, SO_LINGER, (char *)&slinger, sizeof(struct linger));
      if(closesocket(i)!=0) fprintf(log, "[-] Error %i\n", WSAGetLastError());
    }
    fclose(log);
    return TRUE;
}

BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
{
    BOOL st;                   
    if(reason == DLL_PROCESS_ATTACH)
        st = doShit();
    return st;
}

But there are connections which won't shut down. IDK why.

Offline s3my0n

  • Knight
  • **
  • Posts: 276
  • Cookies: 58
    • View Profile
    • ::1
Re: Close TPC/IP connections with remote ip and port
« Reply #10 on: January 01, 2012, 10:54:49 am »
Oh sorry I didn't see "I want to program this in C#" ^^'
I'm sure there are many examples if you google for it.
Here's a good example I think: http://alperguc.blogspot.com/2008/11/c-process-processgetprocessesbyname.html
Easter egg in all *nix systems: E(){ E|E& };E

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Close TPC/IP connections with remote ip and port
« Reply #11 on: January 02, 2012, 06:43:08 pm »
Just thought of something I did a while back. Using Microsofts IPSec to block connections. You could block the connection long enough for it to timeout then unblock it :P You can do it all by command line, so doing it in C# should work.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline CorruptedByte

  • Serf
  • *
  • Posts: 23
  • Cookies: 2
  • Lët Thë Hãçkïng Bëgïn
    • View Profile
    • Underc0de
Re: Close TPC/IP connections with remote ip and port
« Reply #12 on: January 03, 2012, 03:37:38 am »
thanks, that will be very useful  ;)