A BOF to interact with COM objects associated with the Windows software firewall.

Overview

Firewall_Enumerator_BOF

What is this?

This is meant as a supplement to interact with the Windows firewall via COM interfaces.

Did you derive inspiration from anywhere?

Yes, of course. @TheRealWover's existing code from Donut a bit of insight in how to implement uuid's functionality without losing sleep. Thank you!

Why?

COM in general through lower-level languages is a pain. This was meant to show that we can intermix convenience interfaces with C++ in BOF files.

What else does this show?

This shows that it's possible to use C++ classes/wrappers within BOF files, eliminating the need to BEGIN_INTERFACE and lose ourselves to reimplementation depths of despair in straight C.

What are the options this currently supports

  • Fetching the total number of known Windows firewall rules via: fw_walk total
  • Enumerating each of the three default locations for firewalls configurations (profile, domain, and public) via: fw_walk status
  • The ability to disable (assuming you have sufficient privileges) all three default firewalls (profile, domian, and public) via: fw_walk disable
  • The ability to enable/revert your actions (assuming you have sufficient privileges) all three default firewalls (profile, domain, and public) via: fw_walk enable
  • The ability to peruse all enabled firewall rules, their properties (protocol, direction, application name, etc) via: fw_walk display

How do I run this?

  1. In this case, you have two options:
    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
    2. Compile from source via the Makefile
      1. cd src
      2. make clean
      3. make
  2. Load the Aggressor file, in the Script Manager, located in the dist directory
  3. Within a provided Beacon, beacon> fw_walk to display the previously-mentioned options

Any known downsides?

  • We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk"
  • You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.

Where can we go from here?

The sky's the limit:

  • Add a rule for your own application
  • Add a rule for an interface of your choosing
  • Delete rules at will

Special Thanks

@JohnLaTwC, you're awesome for volunteering your time to ensure coding practices are upheld on both sides of the fence!

You might also like...
Elven relativism -- relocation and execution of aarch64 ELF relocatable objects (REL)
Elven relativism -- relocation and execution of aarch64 ELF relocatable objects (REL)

elvenrel Elven Relativism -- relocation and execution of aarch64 ELF relocatable objects (REL) on Linux and macOS. Program loads a multitude of ELF RE

declarative polyamorous cross-system intermedia objects
declarative polyamorous cross-system intermedia objects

declarative polyamorous cross-system intermedia objects

Realtime Micro Kernel -- Event-driven Run-to-Completion RTOS with Active Objects, Timed Events, Memory Pools, and Message Queues

Realtime Micro Kernel Features Active Objects Message queues Variable sized, custom messages Periodic and single timed events Memory pools Supported P

imGuIZMO.quat is a ImGui widget: like a trackball it provides a way to rotate models, lights, or objects with mouse, and graphically visualize their position in space, also around any single axis (Shift/Ctrl/Alt/Super)
imGuIZMO.quat is a ImGui widget: like a trackball it provides a way to rotate models, lights, or objects with mouse, and graphically visualize their position in space, also around any single axis (Shift/Ctrl/Alt/Super)

imGuIZMO.quat v3.0 imGuIZMO.quat is a ImGui widget: like a trackball it provides a way to rotate models, lights, or objects with mouse, and graphicall

CppUTest For QP/C++ implements a CppUTest port of the QP Framework, with supporting utilities, enabling easy host based unit testing of active objects.

CppUTest for the QP/C++ Real-Time Embedded Framework Build and Test status: Copyright Matthew Eshleman If this project inspires your team to select th

Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Comments
  • display hook

    display hook

    before everything , I have to admit that its ta nice work ;) here. the display option redirects me to the help menu of fw_walk for the 3 others everything is working perfectly. any help??? thx in advance.

    PS; there is no BOF in all github that >>> configure a service, enable a service , disable a service, any link please ??

    opened by ghost 0
Owner
Somewhere, doing something.
null
Gaming Input Peripherals Device Firewall for Windows.

HidHide ⚠️ Compiling a signed BETA release is in the works, please be patient! ⚠️ Introduction Microsoft Windows offers support for a wide range of hu

Virtual Gamepad Emulation Framework 392 Jan 2, 2023
Application firewall PoC with filtering performed in the kernel, for Linux.

Voi Application firewall with filtering performed in the kernel, for Linux. Status Currently just scaffolding code No where near ready for a productio

Marc 7 Sep 15, 2022
AssociatedEnum: header-only library for C++ for enumerations with associated values

asenum AssociatedEnum is a header-only library for C++ for enumerations with associated values asenum is C++ implementation of very neat enums from Sw

Vladimir (Alkenso) 19 Dec 22, 2022
The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing"

Seed Selection for Successful Fuzzing The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing". While our primary art

HexHive 34 Dec 7, 2022
Repository Containing the Code associated with the Paper: "Learning High-Speed Flight in the Wild"

Learning High-Speed Flight in the Wild This repo contains the code associated with the paper Learning Agile Flight in the Wild. For more information,

Robotics and Perception Group 396 Jan 3, 2023
Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Bobby Cooke 65 Nov 9, 2022
Creates a virtual disk in memory and provides the user a shell to interact with it

Tiny-File-System Creates a virtual disk in memory and provides the user a shell to interact with it Known bugs with Export missing chars at the end of

Alex Fuller 2 Oct 7, 2022
Cobaltstrike addons to interact with clipboard

Cobalt-Clip Cobalt-clip is clipboard addons for cobaltstrike to interact with clipboard. With this you can dump, edit and monitor the content of q cli

null 72 Dec 14, 2022
Turn your ESP32 into a easy to use micro web-server allowing to interact with any GPIO by simple http(s) calls.

WebhooksTriggeredESP32WiFi Turn your ESP32 into an easy to use and manage wireless micro web-server allowing it to process reliably and asynchronouly

JayDeLux 3 Nov 24, 2022
Add virtual monitors to your windows 10 device! Works with Oculus software, obs, and any desktop sharing software

License MIT and CC0 or Public Domain, whichever is least restrictive -- Use it AS IS - NO IMPLICIT OR EXPLICIT warranty This may break your computer,

Rashi Abramson 230 Jan 6, 2023