Presentation is loading. Please wait.

Presentation is loading. Please wait.

Port Knocking with covert packets to secretly open your firewall Published: June 2004 Introduction to Cerberus.

Similar presentations


Presentation on theme: "Port Knocking with covert packets to secretly open your firewall Published: June 2004 Introduction to Cerberus."— Presentation transcript:

1 Port Knocking with covert packets to secretly open your firewall Published: June 2004 Introduction to Cerberus

2 AgendaAgenda Introduction to Port Knocking Introduction to Port Knocking Isn’t Security through Obscurity Bad? Isn’t Security through Obscurity Bad? Traditional Port Knocking Tools Traditional Port Knocking Tools Problems with Port Knocking Tools Problems with Port Knocking Tools Introduction to Dana’s Version - Cerberus Introduction to Dana’s Version - Cerberus Crafting Cerberus packets Crafting Cerberus packets Packet breakdown information Packet breakdown information Things to Consider / Summary Things to Consider / Summary Questions Questions

3 Introduction to Port Knocking Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Information is encoded in the sequence of ports to which the client attempts to connect. The information flows in one direction, from the client to the server. Information is encoded in the sequence of ports to which the client attempts to connect. The information flows in one direction, from the client to the server. The server does not send any response to the client as receipt of the information. The server does not send any response to the client as receipt of the information.

4 Isn’t Security through Obscurity Bad? Security implemented SOLELY through obscurity is considered bad; using obscurity as another line of defense is actually good. Security implemented SOLELY through obscurity is considered bad; using obscurity as another line of defense is actually good. Reducing the perceived attack surface of a system will typically cause most attackers to move on to easier targets. Reducing the perceived attack surface of a system will typically cause most attackers to move on to easier targets. Traditional port knocking isn’t really that “obscure” anyways. Most analysis tools can pick up common port patterns from common port knocking software. Traditional port knocking isn’t really that “obscure” anyways. Most analysis tools can pick up common port patterns from common port knocking software.

5 Traditional Port Knocking with TCP/IP cd00r cd00r Doorman Doorman knockd knockd SAdoor SAdoor toctoc toctoc

6 Problems with Traditional Port Knocking Once you know the secret knock, the port is opened; its quite easy to sniff the wire to get the sequence. Furthermore, TCP style knocking leaves a lot of “logging cruft“, making it easy to find. Intrusion detection sensors pick up on this easily! Once you know the secret knock, the port is opened; its quite easy to sniff the wire to get the sequence. Furthermore, TCP style knocking leaves a lot of “logging cruft“, making it easy to find. Intrusion detection sensors pick up on this easily! Most simple implementations have no way to authenticate the knocker. How do you know its who you think it is? Most simple implementations have no way to authenticate the knocker. How do you know its who you think it is? Most port knockers require some sort of client or script to work, not always available to you. Most port knockers require some sort of client or script to work, not always available to you. Many knockers require the src of the packet to be the actual host asking for access, when in many cases it may not be (ie: weird NAT translation) Many knockers require the src of the packet to be the actual host asking for access, when in many cases it may not be (ie: weird NAT translation)

7 Dana’s Way with ICMP Can bypass most IDS sensors as “normal” traffic Can bypass most IDS sensors as “normal” traffic Uses typical ICMP traffic allowed by most firewalls Uses typical ICMP traffic allowed by most firewalls Doesn’t require special tools to craft packet sequences, can be done with Linux ‘ping’ command Doesn’t require special tools to craft packet sequences, can be done with Linux ‘ping’ command Was written over 5 years ago before port knocking was a common thing Was written over 5 years ago before port knocking was a common thing

8 Introduction to Cerberus – Dana’s Port Knocking Daemon Small daemon written in C tied to libpcap which sniffs all inbound ICMP ‘ping’ packets (type 8) Small daemon written in C tied to libpcap which sniffs all inbound ICMP ‘ping’ packets (type 8) Requires very little overhead and doesn’t have to look for packet patterns or watch system logs closely. Requires very little overhead and doesn’t have to look for packet patterns or watch system logs closely. Uses some simple, yet effective techniques to provide rudimentary authentication Uses some simple, yet effective techniques to provide rudimentary authentication

9 How Cerberus Works Looks for specially crafted ICMP type 8 ping packets. Once found breaks packet payload down into: struct { Looks for specially crafted ICMP type 8 ping packets. Once found breaks packet payload down into: struct { 2 byte Initiator (0xDEAD) 1 byte UserID 1 byte ActionID (Action sequence) 8 byte One time Password (OTP) 4 byte IP address (Dotted decimal to Hex) }

10 How Cerberus Works – The OTP The One Time Password is a hash of: The One Time Password is a hash of: The current date and time up to the last minute The current date and time up to the last minute A system ‘server seed’ A system ‘server seed’ An individual user passcode An individual user passcode The IP address to allow in (in dotted decimal format) The IP address to allow in (in dotted decimal format) Hash used is an MD5 of that data concatenated together Hash used is an MD5 of that data concatenated together OTP is the last 16 chars of that hash result OTP is the last 16 chars of that hash result

11 Crafting a Cerberus Packet Make the OTP: date +%d%m%y%k%Msome_seedmy_pincode | md5sum | cut -c Make the OTP: date +%d%m%y%k%Msome_seedmy_pincode | md5sum | cut -c Send the packet: ping -c1 –p “dead4201f0b70bc031a365e9ccf47bea” mymachine.com Send the packet: ping -c1 –p “dead4201f0b70bc031a365e9ccf47bea” mymachine.com

12 Packet Pattern Breakdown dead4201f0b70bc031a365e9ccf47bea Initiator ActionID Hashed OTP IP address as HEX User ID

13 Received packet breakdown 16:26: IP stinger.scorpionsoft.com > S c5.va.shawcable.net: icmp 64: echo reply seq 0 0x0000: ff c3 ccae x0010: 1850 c6e a57 f3ca c8 0x0020: dead 4201 e394 db11 58d4 23ac..v...B.....X.#. 0x0030: ccf4 7bea dead 4201 e394 db11 58d4 23ac..{...B.....X.#. 0x0040: ccf4 7bea dead 4201 e394 db11 58d4 23ac..{...B.....X.#. 0x0050: ccf4..

14 Things to consider when writing your own version of Cerberus Strength of cryptography. Hash is only as strong as the seed and passcode. Strength of cryptography. Hash is only as strong as the seed and passcode. Time synchronization. Use time drift techniques to combat sliding time window. Time synchronization. Use time drift techniques to combat sliding time window. Not all firewalls allow pings through from untrusted hosts. Not all firewalls allow pings through from untrusted hosts. Not a replacement for good ACL and strong authentication… It is merely an augmentation to a defense in depth posture! Not a replacement for good ACL and strong authentication… It is merely an augmentation to a defense in depth posture! Optimize code, drop ping floods or expect to be DoS! Optimize code, drop ping floods or expect to be DoS!

15 This document is provided for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Scorpion Software Corp. All rights reserved. This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


Download ppt "Port Knocking with covert packets to secretly open your firewall Published: June 2004 Introduction to Cerberus."

Similar presentations


Ads by Google