Successfully reported this slideshow.
Port knocking challenge                                     the short notes             Sheridan: Knock, knock.           ...
Step by step into the trap   Step 1          Step 2    Step 3                   Step 4                                    ...
Task overview    1 box running FreeBSD    1 anonymous FTP server    1 file: traffic.zip->traffic.pcap    Slightly modified...
Traffic.pcap #1
Traffic.pcap #2
Initial state
“Knocked” state
EINDBAZEN solution          #!/usr/bin/python          # sheldon.py          # EINDBAZEN solution to port knocking challen...
Simple solution                  nmap -n -sS -T2 -r -p951 192.168.0.5                  nmap -n -sS -T2 -r -p4826 192.168.0...
Why not?   Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”?  Because: The best way to send the ...
Advantages      Sequence of 3 simple TCP knocks requires      281,474,976,710,656 packets to bruteforce (worst      case) ...
Disadvantages      If knocking daemon dies – “system dies”      solved by process monitor daemon      Can be locked out wi...
Defense in depthafterallit’sjustanotherlayer
The more you know  http://www.phenoelit-us.org/stuff/cd00rdescr.html  - original cdoor.c  http://eindbazen.net/?p=316  - c...
FIN.       azaitsev@ptsecurity.ru              @arbitrarycode
Upcoming SlideShare
Loading in …5
×

Александр Зайцев - Port Knocking, short notes

3,513 views

Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Александр Зайцев - Port Knocking, short notes

  1. 1. Port knocking challenge the short notes Sheridan: Knock, knock. Ivanova: Whos there? Sheridan: Kosh. Ivanova: Kosh who? Sheridan: Gesundheit. [snickers] I thought that was a good one. Babylon 5 PHD CTF Afterparty 2011
  2. 2. Step by step into the trap Step 1 Step 2 Step 3 Step 4 Copyright: http://www.portknocking.org/
  3. 3. Task overview 1 box running FreeBSD 1 anonymous FTP server 1 file: traffic.zip->traffic.pcap Slightly modified cdoor.c by FX of Phenoelit
  4. 4. Traffic.pcap #1
  5. 5. Traffic.pcap #2
  6. 6. Initial state
  7. 7. “Knocked” state
  8. 8. EINDBAZEN solution #!/usr/bin/python # sheldon.py # EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011 # Import scapy from scapy.all import * conf.verb = 0 # Ports ports = [951, 4826, 9402, 235, 16821, 443, 100] # Knock twice on every port for dport in range(0, len(ports)): print "[*] Knocking on 192.168.0.5: " , ports[dport] ip = IP(dst="192.168.0.5") port = 39367 SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[(MSS,1460)], seq=0) send(SYN) ; print "*KNOCK*" port = 39368 SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[(MSS,1460)], seq=0) send(SYN) ; print "*KNOCK*" print "PENNY" # Use NMAP for scanning for open ports # We also use -sV, so nmap connects to the port and get the flag print "[*] Scanning for open ports using nmap" subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)
  9. 9. Simple solution nmap -n -sS -T2 -r -p951 192.168.0.5 nmap -n -sS -T2 -r -p4826 192.168.0.5 nmap -n -sS -T2 -r -p9402 192.168.0.5 nmap -n -sS -T2 -r -p235 192.168.0.5 nmap -n -sS -T2 -r -p16821 192.168.0.5 nmap -n -sS -T2 -r -p443 192.168.0.5 nmap -n -sS -T2 -r -p100 192.168.0.5 nmap -n -sS -T4 -p1024-2048 -sV 192.168.0.5
  10. 10. Why not? Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”? Because: The best way to send the required SYN packets to the system is the use of nmap: ./nmap -sS -T Polite -p<port1>,<port2>,<port3> <target> NOTE: the Polite timing ensures, that nmap sends the packets serial as defined. FX - cdoor.c Now “–T Polite” doesn’t ensure sequential transmission of SYN packets
  11. 11. Advantages Sequence of 3 simple TCP knocks requires 281,474,976,710,656 packets to bruteforce (worst case) Usually only the IP provided the correct sequence is whitelisted Simple implementation – less vulnerabilities Prevents login bruteforce and mass vulnerability exploitation In some cases may aid in DoS mitigation Modern implementations allow usage of cryptographic hashes inside knocking sequence (Single Packet Authentication)
  12. 12. Disadvantages If knocking daemon dies – “system dies” solved by process monitor daemon Can be locked out with IP-Spoof solved by adding crypto-hashes Dropped packets result in incorrect knock solved by retransmission
  13. 13. Defense in depthafterallit’sjustanotherlayer
  14. 14. The more you know http://www.phenoelit-us.org/stuff/cd00rdescr.html - original cdoor.c http://eindbazen.net/?p=316 - challenge write-up from EINDBAZEN team http://en.wikipedia.org/wiki/Port_knocking - basic info (used in this presentation:) http://www.portknocking.org – one big port knocking/SPA resource http://www.aldabaknocking.com/?q=portknocking – another big port knocking/SPA resource
  15. 15. FIN. azaitsev@ptsecurity.ru @arbitrarycode

×