Scribd Logo
Upload

Welcome to Scribd!

  • Cerberus

    Uploaded by

    Oktet
    100 views15 pages
    Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Most knockers require some sort of client or script to work, not always available to you. Dana's Way with ICMP Can bypass most IDS sensors as "normal" traffic.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Most knockers require some sort of client or script to work, not always available to you. Dana's Way with ICMP Can bypass most IDS sensors as "normal" traffic.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    100 views15 pages

    Cerberus

    Uploaded by

    Oktet
    Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Most knockers require some sort of client or script to work, not always available to you. Dana's Way with ICMP Can bypass most IDS sensors as "normal" traffic.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Introduction to Cerberus

    Port Knocking with covert


    packets to secretly open your
    firewall

    Published: June 2004


    Agenda
     Introduction to Port Knocking
     Isn’t Security through Obscurity Bad?
     Traditional Port Knocking Tools
     Problems with Port Knocking Tools
     Introduction to Dana’s Version -
    Cerberus
     Crafting Cerberus packets
     Packet breakdown information
     Things to Consider / Summary
     Questions
    Introduction to Port
    Knocking
     Port knocking is a method by
    which a remote computer (client)
    communicates with another
    computer (server) across closed
    ports.
     Information is encoded in the
    sequence of ports to which the
    client attempts to connect. The
    information flows in one direction,
    from the client to the server.
     The server does not send any
    Isn’t Security through
    Obscurity Bad?
     Security implemented SOLELY
    through obscurity is considered
    bad; using obscurity as another
    line of defense is actually good.
     Reducing the perceived attack
    surface of a system will typically
    cause most attackers to move on
    to easier targets.
     Traditional port knocking isn’t
    really that “obscure” anyways.
    Most analysis tools can pick up
    Traditional Port Knocking
    with TCP/IP
     cd00r
    http://www.phenoelit.de/stuff/cd00rdescr.htm
     Doorman
    http://doorman.sourceforge.net/
     knockd
    http://www.zeroflux.org/knock/
     SAdoor
    http://cmn.listprojects.darklab.org/
     toctoc
    http://brahma.cpd.ufjf.br/~atrix/toctoc
    Problems with Traditional
    Port Knocking
     Once you know the secret knock, the port is
    opened; its quite easy to sniff the wire to get
    the sequence. Furthermore, TCP style
    knocking leaves a lot of “logging cruft“,
    making it easy to find. Intrusion detection
    sensors pick up on this easily!
     Most simple implementations have no way to
    authenticate the knocker. How do you know
    its who you think it is?
     Most port knockers require some sort of client
    or script to work, not always available to you.
     Many knockers require the src of the packet
    Dana’s Way with ICMP
     Can bypass most IDS sensors as
    “normal” traffic
     Uses typical ICMP traffic allowed by
    most firewalls
     Doesn’t require special tools to
    craft packet sequences, can be
    done with Linux ‘ping’ command
     Was written over 5 years ago
    before port knocking was a
    common thing
    Introduction to Cerberus –
    Dana’s Port Knocking
    Daemon
     Small daemon written in C tied to
    libpcap which sniffs all inbound
    ICMP ‘ping’ packets (type 8)
     Requires very little overhead and
    doesn’t have to look for packet
    patterns or watch system logs
    closely.
     Uses some simple, yet effective
    techniques to provide rudimentary
    authentication
    How Cerberus Works
     Looks for specially crafted ICMP
    type 8 ping packets. Once found
    breaks packet payload down into:
    struct {
    2 byte Initiator (0xDEAD)
    1 byte UserID
    1 byte ActionID (Action sequence)
    8 byte One time Password (OTP)
    4 byte IP address (Dotted decimal to Hex)
    }
    How Cerberus Works – The
    OTP
     The One Time Password is a hash
    of:
     The current date and time up to the
    last minute
     A system ‘server seed’
     An individual user passcode
     The IP address to allow in (in dotted
    decimal format)
     Hash used is an MD5 of that data
    concatenated together
    Crafting a Cerberus Packet
     Make the OTP:
    date +%d%m%y%k%Msome_seedmy_pincode204.244.123.234 |
    md5sum | cut -c 17-32
     Send the packet:
    ping -c1 –p “dead4201f0b70bc031a365e9ccf47bea”
    mymachine.com
    Packet Pattern Breakdown

    User Hashed OTP


    ID

    dead4201f0b70bc031a365e9ccf47bea

    Initiat ActionI IP address as


    or D HEX
    Received packet
    breakdown
    16:26:45.021294 IP stinger.scorpionsoft.com >
    S02060005180002c5.va.shawcable.net: icmp 64: echo reply seq 0
    0x0000: 4500 0054 27ff 0000 4001 93c3 ccae 1305 E..T'...@.......
    0x0010: 1850 c6e3 0000 7a57 f3ca 0000 40c8 ec5e .P....zW....@..^
    0x0020: 0000 7695 dead 4201 e394 db11 58d4 23ac ..v...B.....X.#.
    0x0030: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#.
    0x0040: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#.
    0x0050: ccf4 ..
    Things to consider when
    writing your own version of
    Cerberus
     Strength of cryptography. Hash is only
    as strong as the seed and passcode.
     Time synchronization. Use time drift
    techniques to combat sliding time
    window.
     Not all firewalls allow pings through
    from untrusted hosts.
     Not a replacement for good ACL and
    strong authentication… It is merely an
    augmentation to a defense in depth
    posture!
     Optimize code, drop ping floods or
    This document is provided for informational purposes only.
    SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

    © 2004 Scorpion Software Corp. All rights reserved.


    This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
    Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries.
    The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

    You might also like