Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Most knockers require some sort of client or script to work, not always available to you. Dana's Way with ICMP Can bypass most IDS sensors as "normal" traffic.
Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Most knockers require some sort of client or script to work, not always available to you. Dana's Way with ICMP Can bypass most IDS sensors as "normal" traffic.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online from Scribd
Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Most knockers require some sort of client or script to work, not always available to you. Dana's Way with ICMP Can bypass most IDS sensors as "normal" traffic.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online from Scribd
Agenda Introduction to Port Knocking Isn’t Security through Obscurity Bad? Traditional Port Knocking Tools Problems with Port Knocking Tools Introduction to Dana’s Version - Cerberus Crafting Cerberus packets Packet breakdown information Things to Consider / Summary Questions Introduction to Port Knocking Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Information is encoded in the sequence of ports to which the client attempts to connect. The information flows in one direction, from the client to the server. The server does not send any Isn’t Security through Obscurity Bad? Security implemented SOLELY through obscurity is considered bad; using obscurity as another line of defense is actually good. Reducing the perceived attack surface of a system will typically cause most attackers to move on to easier targets. Traditional port knocking isn’t really that “obscure” anyways. Most analysis tools can pick up Traditional Port Knocking with TCP/IP cd00r http://www.phenoelit.de/stuff/cd00rdescr.htm Doorman http://doorman.sourceforge.net/ knockd http://www.zeroflux.org/knock/ SAdoor http://cmn.listprojects.darklab.org/ toctoc http://brahma.cpd.ufjf.br/~atrix/toctoc Problems with Traditional Port Knocking Once you know the secret knock, the port is opened; its quite easy to sniff the wire to get the sequence. Furthermore, TCP style knocking leaves a lot of “logging cruft“, making it easy to find. Intrusion detection sensors pick up on this easily! Most simple implementations have no way to authenticate the knocker. How do you know its who you think it is? Most port knockers require some sort of client or script to work, not always available to you. Many knockers require the src of the packet Dana’s Way with ICMP Can bypass most IDS sensors as “normal” traffic Uses typical ICMP traffic allowed by most firewalls Doesn’t require special tools to craft packet sequences, can be done with Linux ‘ping’ command Was written over 5 years ago before port knocking was a common thing Introduction to Cerberus – Dana’s Port Knocking Daemon Small daemon written in C tied to libpcap which sniffs all inbound ICMP ‘ping’ packets (type 8) Requires very little overhead and doesn’t have to look for packet patterns or watch system logs closely. Uses some simple, yet effective techniques to provide rudimentary authentication How Cerberus Works Looks for specially crafted ICMP type 8 ping packets. Once found breaks packet payload down into: struct { 2 byte Initiator (0xDEAD) 1 byte UserID 1 byte ActionID (Action sequence) 8 byte One time Password (OTP) 4 byte IP address (Dotted decimal to Hex) } How Cerberus Works – The OTP The One Time Password is a hash of: The current date and time up to the last minute A system ‘server seed’ An individual user passcode The IP address to allow in (in dotted decimal format) Hash used is an MD5 of that data concatenated together Crafting a Cerberus Packet Make the OTP: date +%d%m%y%k%Msome_seedmy_pincode204.244.123.234 | md5sum | cut -c 17-32 Send the packet: ping -c1 –p “dead4201f0b70bc031a365e9ccf47bea” mymachine.com Packet Pattern Breakdown
User Hashed OTP
ID
dead4201f0b70bc031a365e9ccf47bea
Initiat ActionI IP address as
or D HEX Received packet breakdown 16:26:45.021294 IP stinger.scorpionsoft.com > S02060005180002c5.va.shawcable.net: icmp 64: echo reply seq 0 0x0000: 4500 0054 27ff 0000 4001 93c3 ccae 1305 E..T'...@....... 0x0010: 1850 c6e3 0000 7a57 f3ca 0000 40c8 ec5e .P....zW....@..^ 0x0020: 0000 7695 dead 4201 e394 db11 58d4 23ac ..v...B.....X.#. 0x0030: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#. 0x0040: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#. 0x0050: ccf4 .. Things to consider when writing your own version of Cerberus Strength of cryptography. Hash is only as strong as the seed and passcode. Time synchronization. Use time drift techniques to combat sliding time window. Not all firewalls allow pings through from untrusted hosts. Not a replacement for good ACL and strong authentication… It is merely an augmentation to a defense in depth posture! Optimize code, drop ping floods or This document is provided for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.