Slashdot Mirror

← Back to Stories (view on slashdot.org)

Port Knocking in Action

Posted by CmdrTaco on from the crazy-security-through-obscurity dept.

tyldis writes "There was something called "port knocking" mentioned on Slashdot earlier, and now an implementation has sprung to life. Is this something worth pursuing?" The page is to an application called knockd which is a simple proof of concept with hard coded knock sequences. Really interesting stuff.

44 of 430 comments (clear)

  1. How do you transcribe... by JesseL · · Score: 5, Funny

    "shave and a haircut" into port numbers?

    --
    "Prefiero morir de pie que vivir siempre arrodillado!"
    1. Re:How do you transcribe... by winkydink · · Score: 4, Funny

      I dunno. How many ports can you knock on with two bits?

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    2. Re:How do you transcribe... by Hanji · · Score: 4, Funny
      $perl -e 'print join(",",unpack("s*","shave and a haircut"))."\n"'
      29544,24950,25888,24942,25632,24 864,26721,26994,25461
      Q-BASIC, BAH
      --
      A Minesweeper clone that doesn't suck
  2. Knock Knock by Anonymous Coward · · Score: 4, Funny

    You can keep on knockin' but ya can't come in

  3. Great for warez... by danielrm26 · · Score: 5, Interesting

    I can see this being used quite extensively in the warez arena. It'd be pretty easy to give out the "key" to clients who are allowed access, while any ISP scanning for FTP servers, for example, would find nothing open.

    --
    dmiessler.com -- grep understanding knowledge
    1. Re:Great for warez... by caluml · · Score: 4, Informative

      I fear the ISP might just watch for large amounts of data spewing out on tcp/20.

      --
      Get your own free personal location tracker
  4. Knock Knock? by qualico · · Score: 4, Informative

    Who's there?

    Just a bunch of hackers knocking with sequences they captured from sniffing.

    1. Re:Knock Knock? by DarkMan · · Score: 5, Insightful

      Meh, throw some cryptography into the mix.

      Take the source IP, add a password, take a one way hash. Include this hash in the knocking packets.

      Now, if you've sniffed the packets, then you won't know the password. So, you can spoof the source IP, in which case the port will be opened _for that IP only_, or you can send the knocking packets from you IP, in which case, you need that password, or you've just advertised yourself as a hacking attempt.

      In order to prevent a single password for everyone situation, it's not hard to include a user ID in the packets.

      Does need the application or firewall to allow connections to and from specific IP's only - but I really can't see that being an issue.

      Problem solved.

    2. Re:Knock Knock? by timeOday · · Score: 4, Informative

      Not unless they can get into a router on the path between you and someone valid who logged in, or the same ethernet segment.

    3. Re:Knock Knock? by Anonymous Coward · · Score: 4, Informative

      Encrypted port knocking is pointless. Here's why: Port knocking only makes sense if the protected system reacts to the individual knocks as if there was no port knocking system. Only when the knock sequence has been completed it opens the port. This means that you can't do any handshaking. All communication is one-way until it's "too late". Consequentially, since there is no challenge which could require a different response, replay attacks are unavoidable unless you use one-time passwords and then there's no point in encrypting the passwords.

      If you decide to send a challenge to the knocker, you could just as well use regular authentication over a TCP channel.

      The point of port knocking is to hide the existence of a regular channel, not to protect it from someone who knows that it's there. Someone who can sniff your packets is by definition already past that layer of protection, so any attempt to complicate the knock-layer will only increase the chance of creating another vulnerable interface. Keep it simple or don't do it.

    4. Re:Knock Knock? by tonywong · · Score: 5, Interesting

      It gets better than that. Just imagine a honeypot connection for people who don't port knock. That way there is a better measure of security through obscurity since non-port knockers believe that they're actually getting through the systems' defense layers.

  5. old by ozric99 · · Score: 5, Funny
    When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

    pfft, XP has had this for ages....

  6. ISP Port-Scanning by ckswift · · Score: 5, Insightful

    This might be useful when ISPs routinely port-scan their subscribers to discover if their running services in violation of their TOS.
    This will allow your computer to appear not to be running services expect to the person who knows the magic knock.

  7. Fyodor must be busy... by stevens · · Score: 5, Insightful

    I'm betting that nmap binary is about to get much bigger...

  8. Knock Knock by Anonymous Coward · · Score: 5, Funny

    Who's there?

    Packet.

    Packet who?

    Packet up bitch, you've been hacked.

  9. how long till... by Anonymous Coward · · Score: 5, Interesting

    till we see virus/worms that install port knocked backdoors.

    'virus x appears to open up 200 ports for no real reason, but it also has some remote desktop code in there too opened on a firewalled port....'

  10. authpf? by m0rph3us0 · · Score: 4, Interesting

    Why use port knocking. It is no more secure than plain-text passwords. Use authpf. authpf can be set as the shell so when a user logs in authpf just changes the firewall rules.

    1. Re:authpf? by smcavoy · · Score: 5, Insightful

      passwords and port knocking are two different things.
      A perfect example of what it could allow to be done is on knockd's homepage.
      Basically, ssh would not be an open port, you'd have to knock (connect to) the right sequence of ports, which would trigger a rule that could allow only the IP that made the successful knock, access to the ssh port.
      Then when your done you would have another sequence of ports you'd have to "knock" in order to remove the rule allowing access.

    2. Re:authpf? by debrain · · Score: 4, Informative

      The usable alphabet for a suicide TCP packet header is, I do believe, in bits:
      16: dest. port
      16: src port
      32: seq id
      6: flags
      16: window
      16: urgent
      40: options
      That gives us an alphabet 2^142 ~= 5.6 * 10^42. Not to mention that a sequence of packets can be combined, extending the language. Indeed, its cardinality is a natural ordinal, so the same as any password, if not more, by virtue of passwords being limited by an input buffer.

      Knocking need only finite state between packets, simply indicating a status of "last packet correct knock?"; successive knocking therein is in a cardinality greater than passwords. Knocking can happen over a period of months (as I have seen it), and be virtually undetectable for all but the most sophisticted (ie. expensive) means of detection.

      In combination with a time-synchronized one-time pad, you can generate an unrepeatable, provably (in the mathematical sense) secure system of access or commands. For example, for the minute of 13:01 EST, there can be a specific TCP packet, or series of packets that unlocks the door or executes a command. At no other predictable time would this knock be useful. (Time synchronization here is an issue, but often this attack will be used on machines that do care about an atomic clock sync).

      You can do the same thing with a password over SSH, but that's higher level, using more complex code, and inherently more likely to succumb to high-level assaults such as buffer overflows, as well as mathematical assaults on the encryption itself, both of which fundamentally compromise the system's security.

      In short, time-synchronized knocking is safer, simpler, and smarter than passwords or encryption for a certain number of niche applications.

  11. Another implementation by frobisch · · Score: 5, Informative

    is pasmal

  12. Nice start by javatips · · Score: 4, Insightful

    That's a nice start.

    It would be nice to be able to use one-time pad to generate the port sequence. By changing constantly, it would be almost impossible for passive listeners to snif the port sequence.

  13. Re:one of many by Anonymous Coward · · Score: 4, Funny

    Actually I counted 11 other port knocking implementations. Really I did. Can I get modded +4 also?

  14. Interesting by debrain · · Score: 5, Interesting

    This sort of clandestine type of communication has been known about in the security community for a long time - pretty much since the ARPA days. Some backdoors used specific sequences of TCP flags, with no practical TCP use other than opening a backdoor, but permitting anonymous communication or command broadcasting.

    With access to a TCP stack and a link-layer sniffer, you can send and receive, respectively, commands to ghosts in working machines, transparent proxies or "harmony" devices. It is good to see this sort of thing coming to light, since it is extraordinarily powerful and not very well known.

    An example of these probing commands are Xmas, Fin, and Null scans for Fyodor's nmap; note that other TCP flags (TCP options, in particular) can harbour substantially more information than the flags alone.

    Unfortunately, in the modern age of macro viruses, it is hardly necessary to be skilled or even aware of such devices to write a devastatingly powerful virus.

  15. Port Knocking implementations by bwhaley · · Score: 4, Informative

    Lots of info available via a google search...

    A few implementations here.

    I don't think will be very useful/valuable until clients (such as ssh) have it built in. I don't feel like going through the hassle each time I want to connect. Though it would keep comcast from discovering my ssh service...

    --
    "I either want less corruption, or more chance
    to participate in it." -- Ashleigh Brilliant
    1. Re:Port Knocking implementations by lambent · · Score: 5, Interesting

      Off the main topic, but regarding comcast ...

      I've spoken with several reps at Comcast over the past year. They don't really care what servers you run. (I've been told this explicitly as well as tacitly) In fact, when I first contacted tech support, the guy had no idea what SSH, Telnet (ssh is like an encrypted telnet, right?) or even what a port was.

      I've been running an ssh server for about 8 months uninterrupted, now. The general rule of thumb seems to be - If you don't cause trouble for anyone else, Comcast won't cause trouble for you. So, in that interest, I impose reasonable caps on my own throughput and connection counts, and I've had no problems at all.

  16. Why is this more secure... by TheSHAD0W · · Score: 4, Insightful

    Than a single coded UDP packet?

  17. portknocking.org by trip23 · · Score: 5, Informative

    You'll find some more stuff on http://www.portknocking.org...

  18. Time based defenses by frenztech · · Score: 5, Interesting

    I remember talking about port knocking and its inherent sniffing vulnerability previously.

    Basically, if someone can sniff the sequence of packets, they can get your static knock sequence.

    However, if you base it on their IP perhaps, or add in a timestamp (ie, on this date, at this time, you must do this sequence) then it would make port knocking a much more effective method of deceiving attackers.

    You could also do something where knock sequence would be a form of one time password. So you would have a list of valid knocks that could only be used in order. Each person could be given a "block" of these one time passes, or the sequences could be generated on the fly as other current implementations of one time keys are.

    There are lots of great possibilities, if only I were smart enough to think of them ;) I'm currently implementing a c++ networking class for a project with port-knocking built in, and it uses the timestamp method. (Of course, they all have to compute the timestamp for one zone, GMT or wherever)

    --
    "Sed Quis Custodiet Ipsos Custodes?" -Juvenal
  19. Sniffing only works when on that network. by khasim · · Score: 4, Insightful

    You can only sniff packets on a network you are attached to.

    What that means in real life is that someone would have to be connected somewhere along the route from your machine to the server you're knocking on.

    I am in Seattle, I can knock on my server from another location in Seattle. Someone in Canada will not be able to capture any of my packets.

    Port knocking allows me to run a service on the Internet and not worry about just anyone from anywhere connecting to it.

  20. Re:one of many by tverbeek · · Score: 4, Insightful
    port knocking is like having a deliberate hole in your carefully constructed secure zone.

    Well, yes. That's the point: to enable access to a secured system. It's often a necessary evil. The issue is that most people implement these deliberate holes by leaving certain ports open to simple direct access. They're easy to find, and not all that difficult to exploit. Adding a layer of obscurity and another layer of security on those holes - in effect putting a concealed combination lock on them - would be a more secure way of doing that.

    --
    http://alternatives.rzero.com/
  21. So there I was by ch-chuck · · Score: 4, Funny

    I'd just scp'd a new file to my ISP, ssh'd in to edit index.html, checked email, and then when I refreshed the page in http, suddenly I has root access!

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  22. It's broken, and the real solution is simple by Anonymous Coward · · Score: 5, Insightful

    Sniffing the sequence allows a replay attack.

    The correct implementation is to listen in promiscuous mode for any packet containing a small, known header, then inspect the rest of the packet for a gpg-signed request to open a port or service, or alternately initiate a connection. Only the possessor of the private key can make a request (attacker's attempts fail the signature check), a man in the middle cannot decrypt the contents, and replay attacks are defeated by the timestamp.

    -1, Security by Obscurity.

    1. Re:It's broken, and the real solution is simple by Torne · · Score: 4, Insightful

      If you use signatures, IPSEC, or anything more complex than knocking, you need the client to support it. You can knock using nothing but telnet. That's kinda the point. =)

  23. It's all about layers of security by pkiguruman · · Score: 4, Insightful

    If you are using portknocking as your only defense, then you are as smart as dirt and deserve what's coming to you.

    I think it fits in great as a layer of defense.
    Is there an easier way to weed out the attempts from all of those script kiddies and worms to get into certain services on your network?

  24. Responses to assertions that this is insecure by cryptor3 · · Score: 5, Insightful

    A number of people have commented that because the port knocking sequence is transmitted without any form of encryption, port knocking is insecure. I disagree, on the basis that port knocking is not an access control measure, but rather a deterrent measure.

    If you intend for port knocking to stop determined, targeted attacks, then yes, you are sadly mistaken. However, port knocking is effective in making your host less attractive to be hacked.

    I think that an limited analogy is the removable stereo faceplate. Car stereos are a hot target for car thieves. A car thief sweeping a parking lot will not spend time on cars where he does not see the whole stereo (faceplate included).

    By hiding the faceplate, you make yourself less likely to be a victim, even if you just leave the faceplate in your glovebox. If the thief saw where you hid your faceplate, then yes, he could pop it back in and have your stereo in the 30 seconds it takes him to yank it out. But he would have to be watching you. This would be akin to packet sniffing.

    Likewise, someone scanning for a host is looking for evidence of a particular (vulnerable) service. If he doesn't see that service on your PC, he just moves along.

  25. Re:About as secure as telnet(1) ie not. by LordKronos · · Score: 4, Interesting

    Exactly, this whole idea is stupid. It's a password sent one character per packet instead of all in the same packet.

    As I said the last time this idea appeared on slashdot, if you want to hide a port from someone but make is still accessible to people who know the "password", here is what you do.

    1) stealth the port by default, so it accepts no TCP connections.
    2) Have the port silently listen for UDP packets. UDP is fine, because no acknowledgement is sent to the sender, so they don't whether you recieved the packet and ignored it, or if it never got to you.
    3)When you receive a UDP packet, see if it contains the correct password. If it does, than you start accepting TCP connections for that IP address only.

    At this level, this is just as secure as port knocking (password=port sequence). However, it has an advantage that port knocking doesn't. You can encrypt the packet with the server's public key, so that only the server can get the password out of the packet. You can also require that the packet contain an IP address in addition to the password and then verify that the IP in the packet matches the IP the packet came from. This prevents people from intercepting and replaying the encrypted UDP packet.

  26. A different solution by Pros_n_Cons · · Score: 4, Informative

    there is another similar idea written by Brian Hatch author of Hacking Linux Exposed. Instead of 'knocking' ports which as I understand it can be vulnerable to brute force like attacks Hatch's solution uses dns queries to dynamicly open up ports through the firewall, using the dns query as a password. There is no 'service' listening but there is a sniffer waiting for a key string on port 53 that it will take action on. The best thing is it is OS agnostic since DNS query tools are already on all OS's no client software, or technical know-how is needed. And easily customizable if you're fluent in perl.
    These kind of things are not ment for full access, only by allowing you access to the daemon which still has its own acl. When you travel sometimes you're not aware of what IP address your laptop will have so you set a dns query to your home machine which opens the SSH port for you. The whole point is to prevent random attacks from people scanning vulnerable daemons. The following are links to Brian Hatches explinations and code.

    Part 1
    Part 2
    Part 2

    --

    -- "of course thats just my opinion, I could be wrong." --Dennis Miller
  27. port knocking with perl by ubiquitin · · Score: 4, Informative

    My friend Thom Harrison at the Omaha Linux Users Group has posted some scripts which do port knocking and have the following CPAN dependencies:

    |use File::Tail;
    |use Crypt::CBC;
    |use Schedule::At;
    |use Math::VecStat qw(sum);
    |use POSIX qw(strftime);
    |use Pod::Usage;

    --
    http://tinyurl.com/4ny52
  28. Used to be done in phone systems by HPNpilot · · Score: 5, Interesting

    Well at least I used to build them in. It was so simple many others must have done the same thing. Take a 10-step relay, put a 1 minute reset timer on it, and wire each of the first few steps to a pulse gen anded with one of the incoming lines' ring detect. If the right sequence of incoming calls happened, it connected a separate incoming WATS line to a WATS outgoing line. Viola! Free calls from anywhere to anywhere, and nobody would ever notice if you were careful to only select "unlimited" outgoing WATS lines. We're talking something like 35 years ago here...

  29. More secure than people think by Experiment+626 · · Score: 5, Interesting

    Most of the arguments here against port knocking are along the lines of "but someone could just do a replay attack" or "this is vulnerable to spoofing" or whatever. These things are true about a naive implmentation of port knocking that uses a static knock, but it's not hard to come up with variants on the port knocking idea that offer much better security than that. For instance:

    1. Connect to server on some constant, always-open port.
    2. Server sends back a string, then closes connection.
    3. Using this string and a secret password, determine the current knock sequence.
    4. Connect to server using this knock sequence.
    5. Once a knock sequence has been used, serevr invalidates it, creates a new sequence, and begins publishing the string corresponding to the new knock sequence.

    The secret key of course has to be kept secret, and the underlying crypto must be good enough that if the attacker sees the challenge and the knock sequence used to reply, the key itself cannot be deduced.

    This would completely protect from replay attacks, as knocks are not reused. Spoofing could potentially be used to DOS someone by interfering with their knock sequence, but not to gain unauthorized access oneself.

    Sure, at first glance port knocking may seem to be of limited usefulness, but if you combine the idea with a little cryptographic thinking, the possibilities start to become a lot more exciting.

  30. Re:Port Knocking Needed by kir · · Score: 4, Informative

    Worms port knocking? That would be one very very very slow moving worm!

    Remember. There are 65535 different ports available. So, given that you can repeat port numbers and one uses a 4 port "combination", you get this.

    65535^4 = 18,445,618,199,572,250,625 different "combinations"

    I'm not even sure how to read that, but I doubt a worm would try it. It might take it a while.

    --
    3cx.org - A truly bad website.
  31. Order and Delivery Of Packets Is Not Guaranteed! by Dr.+Manhattan · · Score: 4, Informative
    Packets are not guaranteed to arrive in the order that they were sent, or even to arrive at all. The longer or more complex the knock sequence, the more unreliable this system will be. Especially for a busy server.

    There are less stealthy but more secure alternatives. I wrote one.

    --
    PHEM - party like it's 1997-2003!
  32. Parent is wrong by Ernesto+Alvarez · · Score: 5, Informative

    Encrypted port knocking is pointless. Here's why: Port knocking only makes sense if the protected system reacts to the individual knocks as if there was no port knocking system. Only when the knock sequence has been completed it opens the port. This means that you can't do any handshaking. All communication is one-way until it's "too late".


    The idea in the grandparent post wasn't a challenge-response in the traditional way. It was some authentication data along with the knocking.
    The knock won't be encrypted, but it will have some data that is characteristic of the source (the source IP) that can't be spoofed (because of the password and the one way hash).

    An example of this would be:

    1.Real owner takes his IP (public info)
    2.Real owner takes his secret password (known only to him)
    3.Using IP and password he computes the hash and sends it in the knocking packets (let's say it's in the IP id)
    4.The receiving system captures the knocking packets and takes IP source and the hash
    5.It reads the secret password (from config file)
    6.It calculates the hash with the source IP and password

    If the hash sent and the hash calculated match, the system "accepts" that part of the port knocking. If not, discards the packet.

    An intruder might only spoof the whole packet (including IP source) and might open the firewall only for that IP. If he tries to use the hash to open it for HIS ip, the calculated hash won't match the hash sent. He cannot calculate the hash he would need because he does not know the password, and the hash is one way.

    In this protocol the target system does not need to respond with a challenge, it just discards packets that are "spoofed" (that have a non matching hash).
    --
    GPG 0x1B479C78
  33. Re:one of many by Anonymous Coward · · Score: 5, Informative

    Why not just mod me up instead? I provide links!