Port Knocking with Covert Packets for Stealthy Firewall Access
In this article, we explore the use of covert packets for port knocking, an access control technique to open specific ports on a firewall. We discuss the traditional port knocking tools, problems with them, and introduce Dana's version of Cerberus. We also provide packet breakdown information and summarize key considerations.
- Uploaded on | 0 Views
-
zarahoppe
About Port Knocking with Covert Packets for Stealthy Firewall Access
PowerPoint presentation about 'Port Knocking with Covert Packets for Stealthy Firewall Access'. This presentation describes the topic on In this article, we explore the use of covert packets for port knocking, an access control technique to open specific ports on a firewall. We discuss the traditional port knocking tools, problems with them, and introduce Dana's version of Cerberus. We also provide packet breakdown information and summarize key considerations.. The key topics included in this slideshow are Port Knocking, Covert Packets, Firewall Access, Dana's Cerberus, Access Control,. Download this presentation absolutely free.
Presentation Transcript
1. Port Knocking with covert packets to secretly open your firewall Port Knocking with covert packets to secretly open your firewall Port Knocking with covert packets to secretly open your firewall Port Knocking with covert packets to secretly open your firewall Published: June 2004 Published: June 2004 Introduction to Cerberus Introduction to Cerberus
2. Agenda Agenda Agenda Agenda Introduction to Port Knocking Introduction to Port Knocking Isnt Security through Obscurity Bad? Isnt Security through Obscurity Bad? Traditional Port Knocking Tools Traditional Port Knocking Tools Problems with Port Knocking Tools Problems with Port Knocking Tools Introduction to Danas Version - Cerberus Introduction to Danas Version - Cerberus Crafting Cerberus packets Crafting Cerberus packets Packet breakdown information Packet breakdown information Things to Consider / Summary Things to Consider / Summary Questions Questions
3. Introduction to Port Knocking Introduction to Port Knocking Introduction to Port Knocking Introduction to Port Knocking Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Information is encoded in the sequence of ports to which the client attempts to connect. The information flows in one direction, from the client to the server. Information is encoded in the sequence of ports to which the client attempts to connect. The information flows in one direction, from the client to the server. The server does not send any response to the client as receipt of the information. The server does not send any response to the client as receipt of the information.
4. Isnt Security through Obscurity Bad? Isnt Security through Obscurity Bad? Isnt Security through Obscurity Bad? Isnt Security through Obscurity Bad? Security implemented SOLELY through obscurity is considered bad; using obscurity as another line of defense is actually good. Security implemented SOLELY through obscurity is considered bad; using obscurity as another line of defense is actually good. Reducing the perceived attack surface of a system will typically cause most attackers to move on to easier targets. Reducing the perceived attack surface of a system will typically cause most attackers to move on to easier targets. Traditional port knocking isnt really that obscure anyways. Most analysis tools can pick up common port patterns from common port knocking software. Traditional port knocking isnt really that obscure anyways. Most analysis tools can pick up common port patterns from common port knocking software.
5. Traditional Port Knocking with TCP/IP Traditional Port Knocking with TCP/IP Traditional Port Knocking with TCP/IP Traditional Port Knocking with TCP/IP cd00r http://www.phenoelit.de/stuff/cd00rdescr.html cd00r http://www.phenoelit.de/stuff/cd00rdescr.html Doorman http://doorman.sourceforge.net/ Doorman http://doorman.sourceforge.net/ knockd http://www.zeroflux.org/knock/ knockd http://www.zeroflux.org/knock/ SAdoor http://cmn.listprojects.darklab.org/ SAdoor http://cmn.listprojects.darklab.org/ toctoc http://brahma.cpd.ufjf.br/~atrix/toctoc toctoc http://brahma.cpd.ufjf.br/~atrix/toctoc
6. Problems with Traditional Port Knocking Problems with Traditional Port Knocking Problems with Traditional Port Knocking Problems with Traditional Port Knocking Once you know the secret knock, the port is opened; its quite easy to sniff the wire to get the sequence. Furthermore, TCP style knocking leaves a lot of logging cruft, making it easy to find. Intrusion detection sensors pick up on this easily! Once you know the secret knock, the port is opened; its quite easy to sniff the wire to get the sequence. Furthermore, TCP style knocking leaves a lot of logging cruft, making it easy to find. Intrusion detection sensors pick up on this easily! Most simple implementations have no way to authenticate the knocker. How do you know its who you think it is? Most simple implementations have no way to authenticate the knocker. How do you know its who you think it is? Most port knockers require some sort of client or script to work, not always available to you. Most port knockers require some sort of client or script to work, not always available to you. Many knockers require the src of the packet to be the actual host asking for access, when in many cases it may not be (ie: weird NAT translation) Many knockers require the src of the packet to be the actual host asking for access, when in many cases it may not be (ie: weird NAT translation)
7. Danas Way with ICMP Danas Way with ICMP Danas Way with ICMP Danas Way with ICMP Can bypass most IDS sensors as normal traffic Can bypass most IDS sensors as normal traffic Uses typical ICMP traffic allowed by most firewalls Uses typical ICMP traffic allowed by most firewalls Doesnt require special tools to craft packet sequences, can be done with Linux ping command Doesnt require special tools to craft packet sequences, can be done with Linux ping command Was written over 5 years ago before port knocking was a common thing Was written over 5 years ago before port knocking was a common thing
8. Introduction to Cerberus Danas Port Knocking Daemon Introduction to Cerberus Danas Port Knocking Daemon Introduction to Cerberus Danas Port Knocking Daemon Introduction to Cerberus Danas Port Knocking Daemon Small daemon written in C tied to libpcap which sniffs all inbound ICMP ping packets (type 8) Small daemon written in C tied to libpcap which sniffs all inbound ICMP ping packets (type 8) Requires very little overhead and doesnt have to look for packet patterns or watch system logs closely. Requires very little overhead and doesnt have to look for packet patterns or watch system logs closely. Uses some simple, yet effective techniques to provide rudimentary authentication Uses some simple, yet effective techniques to provide rudimentary authentication
9. How Cerberus Works How Cerberus Works How Cerberus Works How Cerberus Works Looks for specially crafted ICMP type 8 ping packets. Once found breaks packet payload down into: struct { Looks for specially crafted ICMP type 8 ping packets. Once found breaks packet payload down into: struct { 2 byte Initiator (0xDEAD) 1 byte UserID 2 byte Initiator (0xDEAD) 1 byte UserID 1 byte ActionID (Action sequence) 8 byte One time Password (OTP) 4 byte IP address (Dotted decimal to Hex) 1 byte ActionID (Action sequence) 8 byte One time Password (OTP) 4 byte IP address (Dotted decimal to Hex) } }
10. How Cerberus Works The OTP How Cerberus Works The OTP How Cerberus Works The OTP How Cerberus Works The OTP The One Time Password is a hash of: The One Time Password is a hash of: The current date and time up to the last minute The current date and time up to the last minute A system server seed A system server seed An individual user passcode An individual user passcode The IP address to allow in (in dotted decimal format) The IP address to allow in (in dotted decimal format) Hash used is an MD5 of that data concatenated together Hash used is an MD5 of that data concatenated together OTP is the last 16 chars of that hash result OTP is the last 16 chars of that hash result
11. Crafting a Cerberus Packet Crafting a Cerberus Packet Crafting a Cerberus Packet Crafting a Cerberus Packet Make the OTP: date +%d%m%y%k%Msome_seedmy_pincode204.244.123.234 | md5sum | cut -c 17-32 Make the OTP: date +%d%m%y%k%Msome_seedmy_pincode204.244.123.234 | md5sum | cut -c 17-32 Send the packet: ping -c1 p dead4201f0b70bc031a365e9ccf47bea mymachine.com Send the packet: ping -c1 p dead4201f0b70bc031a365e9ccf47bea mymachine.com
12. Packet Pattern Breakdown Packet Pattern Breakdown Packet Pattern Breakdown Packet Pattern Breakdown dead4201f0b70bc031a365e9ccf47bea dead4201f0b70bc031a365e9ccf47bea Initiator ActionID Hashed OTP IP address as HEX User ID
13. Received packet breakdown Received packet breakdown Received packet breakdown Received packet breakdown 16:26:45.021294 IP stinger.scorpionsoft.com > 16:26:45.021294 IP stinger.scorpionsoft.com > S02060005180002c5.va.shawcable.net: icmp 64: echo reply seq 0 S02060005180002c5.va.shawcable.net: icmp 64: echo reply seq 0 0x0000: 4500 0054 27ff 0000 4001 93c3 ccae 1305 E..T'...@....... 0x0000: 4500 0054 27ff 0000 4001 93c3 ccae 1305 E..T'...@....... 0x0010: 1850 c6e3 0000 7a57 f3ca 0000 40c8 ec5e .P....zW....@..^ 0x0010: 1850 c6e3 0000 7a57 f3ca 0000 40c8 ec5e .P....zW....@..^ 0x0020: 0000 7695 dead 4201 e394 db11 58d4 23ac ..v...B.....X.#. 0x0020: 0000 7695 dead 4201 e394 db11 58d4 23ac ..v...B.....X.#. 0x0030: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#. 0x0030: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#. 0x0040: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#. 0x0040: ccf4 7bea dead 4201 e394 db11 58d4 23ac ..{...B.....X.#. 0x0050: ccf4 .. 0x0050: ccf4 ..
14. Things to consider when writing your own version of Cerberus Things to consider when writing your own version of Cerberus Things to consider when writing your own version of Cerberus Things to consider when writing your own version of Cerberus Strength of cryptography. Hash is only as strong as the seed and passcode. Strength of cryptography. Hash is only as strong as the seed and passcode. Time synchronization. Use time drift techniques to combat sliding time window. Time synchronization. Use time drift techniques to combat sliding time window. Not all firewalls allow pings through from untrusted hosts. Not all firewalls allow pings through from untrusted hosts. Not a replacement for good ACL and strong authentication It is merely an augmentation to a defense in depth posture! Not a replacement for good ACL and strong authentication It is merely an augmentation to a defense in depth posture! Optimize code, drop ping floods or expect to be DoS! Optimize code, drop ping floods or expect to be DoS!
15. This document is provided for informational purposes only. This document is provided for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. 2004 Scorpion Software Corp. All rights reserved. 2004 Scorpion Software Corp. All rights reserved. This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
