Security Basics mailing list archives
Re: Port-Knocking vulnerabilities?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 31 Dec 2007 21:50:58 +0100
On 2007-12-31 Robert Inder wrote:
On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:On 2007-12-28 Jay wrote:Portknocking is a security mechanism as it is a type of authentication. "Something you know" in this case the sequence of ports to knock before a unstarted service or daemon begins listening for connections.Since everything is transmitted in the clear port-knocking is as much of a security mechanism as cleartext passwords. Technically: maybe (depending on your definition). Realistically: no.I think your dismissal of port knocking (and, indeed, plain text passwords) is unrealistic. If you can intercept my interaction with some remote server, you can steal the relevant secrets (the password or the sequence of ports). But isn't that quite a substantial "if"?
The substantial "if" is the question if intercepting the transmission will allow an attacker to learn the secret without having to compromise either the sender or the receiver of the communication. If an attacker can do that, then the authentication mechanism is insecure and thus mere obscurity. Period.
How are you going to do it? Aren't you going to have to compromise some other machine, either where I am, or where the server is (or, I guess, where the relevant DNS records are), and then plant software to deliberately wait and watch until a relevant interaction takes place?
http://ettercap.sourceforge.net/ There are other attack vectors as well.
I'm not saying that's impossible. But it would take considerable knowledge, planning and effort. Why doesn't that make it a substantial defence against most kinds of casual attack?
Because "substantial" is the opposite of "casual". A measure that won't also stop a determined attacker is just obscurity, not security. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- RE: Port-Knocking vulnerabilities?, (continued)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 28)
- RE: Port-Knocking vulnerabilities? Sean Tindall (Dec 31)
- Re: Port-Knocking vulnerabilities? T. Shannon Gilvary (Dec 28)
- RE: Port-Knocking vulnerabilities? nobledark (Dec 28)
- Re: Port-Knocking vulnerabilities? Jay (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- Re: Port-Knocking vulnerabilities? Robert Inder (Dec 31)
- Re: Port-Knocking vulnerabilities? Goldstein101 (Dec 31)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- Re: Port-Knocking vulnerabilities? Brent Huston (Dec 31)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)