Introduction to Cerberus Port Knocking with covert packets to secretly open your firewall

Published: June 2004

Agenda
        

Introduction to Port Knocking Isn’t Security through Obscurity Bad? Traditional Port Knocking Tools Problems with Port Knocking Tools Introduction to Dana’s Version Cerberus Crafting Cerberus packets Packet breakdown information Things to Consider / Summary Questions

Introduction to Port Knocking
Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports.  Information is encoded in the sequence of ports to which the client attempts to connect. The information flows in one direction, from the client to the server.  The server does not send any

Isn’t Security through Obscurity Bad?
Security implemented SOLELY through obscurity is considered bad; using obscurity as another line of defense is actually good.  Reducing the perceived attack surface of a system will typically cause most attackers to move on to easier targets.  Traditional port knocking isn’t really that “obscure” anyways. Most analysis tools can pick up

Traditional Port Knocking with TCP/IP
    

cd00r http://www.phenoelit.de/stuff/cd00rdescr.htm Doorman http://doorman.sourceforge.net/ knockd http://www.zeroflux.org/knock/ SAdoor http://cmn.listprojects.darklab.org/ toctoc http://brahma.cpd.ufjf.br/~atrix/toctoc

Once you know the secret knock, the port is opened; its quite easy to sniff the wire to get the sequence. Furthermore, TCP style knocking leaves a lot of “logging cruft“, making it easy to find. Intrusion detection sensors pick up on this easily! Most simple implementations have no way to authenticate the knocker. How do you know its who you think it is? Most port knockers require some sort of client or script to work, not always available to you. Many knockers require the src of the packet

Problems with Traditional Port Knocking

Dana’s Way with ICMP
Can bypass most IDS sensors as “normal” traffic  Uses typical ICMP traffic allowed by most firewalls  Doesn’t require special tools to craft packet sequences, can be done with Linux ‘ping’ command  Was written over 5 years ago before port knocking was a common thing

Introduction to Cerberus – Dana’s Port Knocking Daemon

Small daemon written in C tied to libpcap which sniffs all inbound ICMP ‘ping’ packets (type 8)  Requires very little overhead and doesn’t have to look for packet patterns or watch system logs closely.  Uses some simple, yet effective techniques to provide rudimentary authentication

How Cerberus Works

Looks for specially crafted ICMP type 8 ping packets. Once found breaks packet payload down into:
struct { 2 byte 1 byte 1 byte 8 byte 4 byte } Initiator (0xDEAD) UserID ActionID (Action sequence) One time Password (OTP) IP address (Dotted decimal to Hex)

How Cerberus Works – The OTP

The One Time Password is a hash of:
The current date and time up to the last minute  A system ‘server seed’  An individual user passcode  The IP address to allow in (in dotted decimal format)

Hash used is an MD5 of that data concatenated together

Crafting a Cerberus Packet

Make the OTP:
date +%d%m%y%k%Msome_seedmy_pincode204.244.123.234 | md5sum | cut -c 17-32

Send the packet:
ping -c1 –p “dead4201f0b70bc031a365e9ccf47bea” mymachine.com

Packet Pattern Breakdown
User ID Hashed OTP

dead4201f0b70bc031a365e9ccf47bea
Initiat or ActionI D IP address as HEX

Received packet breakdown
16:26:45.021294 IP stinger.scorpionsoft.com > S02060005180002c5.va.shawcable.net: icmp 64: echo 0x0000: 4500 0054 27ff 0000 4001 93c3 ccae 1305 0x0010: 1850 c6e3 0000 7a57 f3ca 0000 40c8 ec5e 0x0020: 0000 7695 dead 4201 e394 db11 58d4 23ac 0x0030: ccf4 7bea dead 4201 e394 db11 58d4 23ac 0x0040: ccf4 7bea dead 4201 e394 db11 58d4 23ac 0x0050: ccf4 reply seq 0 E..T'...@....... .P....zW....@..^ ..v...B.....X.#. ..{...B.....X.#. ..{...B.....X.#. ..

Things to consider when writing your own version of Cerberus
 

 

Strength of cryptography. Hash is only as strong as the seed and passcode. Time synchronization. Use time drift techniques to combat sliding time window. Not all firewalls allow pings through from untrusted hosts. Not a replacement for good ACL and strong authentication… It is merely an augmentation to a defense in depth posture! Optimize code, drop ping floods or

This document is provided for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Scorpion Software Corp. All rights reserved. This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.