Port knocking challenge
PHD CTF Afterparty 2011
the short notes
Sheridan: Knock, knock.
Ivanova: Who's there?
Sheridan: Kosh.
Ivanova: Kosh who?
Sheridan: Gesundheit. [snickers]
I thought that was a good one.
Babylon 5
Step by step into the trap
Step 1 Step 2 Step 3 Step 4
Copyright: http://www.portknocking.org/
Task overview
1 box running FreeBSD
1 anonymous FTP server
1 file: traffic.zip->traffic.pcap
Slightly modified cdoor.c by FX of Phenoelit
Traffic.pcap #1
Traffic.pcap #2
Initial state
“Knocked” state
EINDBAZEN solution
#!/usr/bin/python
# sheldon.py
# EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011
# Import scapy
from scapy.all import *
conf.verb = 0
# Ports
ports = [951, 4826, 9402, 235, 16821, 443, 100]
# Knock twice on every port
for dport in range(0, len(ports)):
print "[*] Knocking on 192.168.0.5: " , ports[dport]
ip = IP(dst="192.168.0.5")
port = 39367
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
port = 39368
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
print "PENNY"
# Use NMAP for scanning for open ports
# We also use -sV, so nmap connects to the port and get the flag
print "[*] Scanning for open ports using nmap"
subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)
Simple solution
nmap -n -sS -T2 -r -p951 192.168.0.5
nmap -n -sS -T2 -r -p4826 192.168.0.5
nmap -n -sS -T2 -r -p9402 192.168.0.5
nmap -n -sS -T2 -r -p235 192.168.0.5
nmap -n -sS -T2 -r -p16821 192.168.0.5
nmap -n -sS -T2 -r -p443 192.168.0.5
nmap -n -sS -T2 -r -p100 192.168.0.5
nmap -n -sS -T4 -p1024-2048 -sV 192.168.0.5
Why not?
The best way to send the required SYN packets to the system is the use of nmap: ./nmap -sS -T Polite -p<port1>,<port2>,<port3> <target> NOTE: the Polite timing ensures, that nmap sends the packets serial as defined.
FX - cdoor.c
Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”?
Because:
Now “–T Polite” doesn’t ensure sequential transmission of SYN packets
Advantages
Sequence of 3 simple TCP knocks requires 281,474,976,710,656 packets to bruteforce (worst case)
Usually only the IP provided the correct sequence is whitelisted
Simple implementation – less vulnerabilities
Prevents login bruteforce and mass vulnerability exploitation
In some cases may aid in DoS mitigation
Modern implementations allow usage of cryptographic hashes inside knocking sequence (Single Packet Authentication)
Disadvantages
If knocking daemon dies – “system dies”
solved by process monitor daemon
Can be locked out with IP-Spoof
solved by adding crypto-hashes
Dropped packets result in incorrect knock
solved by retransmission
Defense in depth
after all it’s just anotherlayer
The more you know
http://www.phenoelit-us.org/stuff/cd00rdescr.html
- original cdoor.c
http://eindbazen.net/?p=316
- challenge write-up from EINDBAZEN team
http://en.wikipedia.org/wiki/Port_knocking
- basic info (used in this presentation:)
http://www.portknocking.org
– one big port knocking/SPA resource
http://www.aldabaknocking.com/?q=portknocking
– another big port knocking/SPA resource