Port knocking challenge the short notes Sheridan: Knock, knock. ...
Step by step into the trap Step 1 Step 2 Step 3 Step 4 ...
Task overview 1 box running FreeBSD 1 anonymous FTP server 1 file: traffic.zip->traffic.pcap Slightly modified...
Traffic.pcap #1
Traffic.pcap #2
Initial state
“Knocked” state
EINDBAZEN solution #!/usr/bin/python # sheldon.py # EINDBAZEN solution to port knocking challen...
Simple solution nmap -n -sS -T2 -r -p951 192.168.0.5 nmap -n -sS -T2 -r -p4826 192.168.0...
Why not? Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”? Because: The best way to send the ...
Advantages Sequence of 3 simple TCP knocks requires 281,474,976,710,656 packets to bruteforce (worst case) ...
Disadvantages If knocking daemon dies – “system dies” solved by process monitor daemon Can be locked out wi...
Defense in depthafterallit’sjustanotherlayer
The more you know http://www.phenoelit-us.org/stuff/cd00rdescr.html - original cdoor.c http://eindbazen.net/?p=316 - c...
FIN. azaitsev@ptsecurity.ru @arbitrarycode
of 15

Александр Зайцев - Port Knocking, short notes

Published on: Mar 4, 2016
Published in: Business      Technology      
Source: www.slideshare.net


Transcripts - Александр Зайцев - Port Knocking, short notes

  • 1. Port knocking challenge the short notes Sheridan: Knock, knock. Ivanova: Whos there? Sheridan: Kosh. Ivanova: Kosh who? Sheridan: Gesundheit. [snickers] I thought that was a good one. Babylon 5 PHD CTF Afterparty 2011
  • 2. Step by step into the trap Step 1 Step 2 Step 3 Step 4 Copyright: http://www.portknocking.org/
  • 3. Task overview 1 box running FreeBSD 1 anonymous FTP server 1 file: traffic.zip->traffic.pcap Slightly modified cdoor.c by FX of Phenoelit
  • 4. Traffic.pcap #1
  • 5. Traffic.pcap #2
  • 6. Initial state
  • 7. “Knocked” state
  • 8. EINDBAZEN solution #!/usr/bin/python # sheldon.py # EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011 # Import scapy from scapy.all import * conf.verb = 0 # Ports ports = [951, 4826, 9402, 235, 16821, 443, 100] # Knock twice on every port for dport in range(0, len(ports)): print "[*] Knocking on 192.168.0.5: " , ports[dport] ip = IP(dst="192.168.0.5") port = 39367 SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[(MSS,1460)], seq=0) send(SYN) ; print "*KNOCK*" port = 39368 SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[(MSS,1460)], seq=0) send(SYN) ; print "*KNOCK*" print "PENNY" # Use NMAP for scanning for open ports # We also use -sV, so nmap connects to the port and get the flag print "[*] Scanning for open ports using nmap" subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)
  • 9. Simple solution nmap -n -sS -T2 -r -p951 192.168.0.5 nmap -n -sS -T2 -r -p4826 192.168.0.5 nmap -n -sS -T2 -r -p9402 192.168.0.5 nmap -n -sS -T2 -r -p235 192.168.0.5 nmap -n -sS -T2 -r -p16821 192.168.0.5 nmap -n -sS -T2 -r -p443 192.168.0.5 nmap -n -sS -T2 -r -p100 192.168.0.5 nmap -n -sS -T4 -p1024-2048 -sV 192.168.0.5
  • 10. Why not? Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”? Because: The best way to send the required SYN packets to the system is the use of nmap: ./nmap -sS -T Polite -p<port1>,<port2>,<port3> <target> NOTE: the Polite timing ensures, that nmap sends the packets serial as defined. FX - cdoor.c Now “–T Polite” doesn’t ensure sequential transmission of SYN packets
  • 11. Advantages Sequence of 3 simple TCP knocks requires 281,474,976,710,656 packets to bruteforce (worst case) Usually only the IP provided the correct sequence is whitelisted Simple implementation – less vulnerabilities Prevents login bruteforce and mass vulnerability exploitation In some cases may aid in DoS mitigation Modern implementations allow usage of cryptographic hashes inside knocking sequence (Single Packet Authentication)
  • 12. Disadvantages If knocking daemon dies – “system dies” solved by process monitor daemon Can be locked out with IP-Spoof solved by adding crypto-hashes Dropped packets result in incorrect knock solved by retransmission
  • 13. Defense in depthafterallit’sjustanotherlayer
  • 14. The more you know http://www.phenoelit-us.org/stuff/cd00rdescr.html - original cdoor.c http://eindbazen.net/?p=316 - challenge write-up from EINDBAZEN team http://en.wikipedia.org/wiki/Port_knocking - basic info (used in this presentation:) http://www.portknocking.org – one big port knocking/SPA resource http://www.aldabaknocking.com/?q=portknocking – another big port knocking/SPA resource
  • 15. FIN. azaitsev@ptsecurity.ru @arbitrarycode

Related Documents