Security Basics mailing list archives
Re: Port-Knocking vulnerabilities?
From: Goldstein101 <goldstein101 () gmail com>
Date: Mon, 31 Dec 2007 20:40:39 +0100
I guess most of you haven't bothered to check what port knocking really is capable of 'cause I'm reading a lot of things that are not true. First of all, Port Knocking is just another layer of security. Think of it as the door of a room that contains a safe. You first have to break the port knocking daemon and then the safe. Not that easy, believe me. Second, Who said port knocking is like transmitting a password in cleartext? Most modern PK systems are encryption based. An attacker can sniff port numbers but packets usually contain other information that is used for authentication. For example I use Aldaba Knocking Suite (aldabaknocking.com) which provides Port Knocking and Single Packet Authorization. In Port knocking mode, basically the client sends this: [IP Address][Port Number][Open/Close Flag][Checksum]. That information is encrypted and sent encoded in the IP-Id field of 4 TCP-SYN packets. This way you have 2 forms of authentication: The first is simple: you need to know the exact port numbers to use when sending those TCP-Syn Packets. Second: you need to know a secret (the encryption key) used to encrypt the information. If you don't have it, you can send random data but when decrypted, it won't verify the checksum. However, Port Knocking has some disadvantages and vulnerabilities. A better and more elegant approach is SPA. Check it out. There are some papers out there. .. On Dec 31, 2007 7:27 PM, Robert Inder <robertinder () googlemail com> wrote:
On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:On 2007-12-28 Jay wrote:Portknocking is a security mechanism as it is a type of authentication. "Something you know" in this case the sequence of ports to knock before a unstarted service or daemon begins listening for connections.Since everything is transmitted in the clear port-knocking is as much of a security mechanism as cleartext passwords. Technically: maybe (depending on your definition). Realistically: no.I think your dismissal of port knocking (and, indeed, plain text passwords) is unrealistic. If you can intercept my interaction with some remote server, you can steal the relevant secrets (the password or the sequence of ports). But isn't that quite a substantial "if"? How are you going to do it? Aren't you going to have to compromise some other machine, either where I am, or where the server is (or, I guess, where the relevant DNS records are), and then plant software to deliberately wait and watch until a relevant interaction takes place? I'm not saying that's impossible. But it would take considerable knowledge, planning and effort. Why doesn't that make it a substantial defence against most kinds of casual attack? Robert. -- Robert Inder Interactive Information Ltd, Registered in Scotland 07808 492 213 3, Lauriston Gardens, Company no. SC 150689 0131 229 1052 Edinburgh EH3 9HH SCOTLAND UK Interactions speak louder than words
-- Goldstein. Room 101, Ministry of Truth. W2, London. Oceania.
Current thread:
- Port-Knocking vulnerabilities? Kappa Alpha Pi Eta (Dec 28)
- RE: Port-Knocking vulnerabilities? Tom Corelis (Dec 28)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 28)
- RE: Port-Knocking vulnerabilities? Sean Tindall (Dec 31)
- Re: Port-Knocking vulnerabilities? T. Shannon Gilvary (Dec 28)
- <Possible follow-ups>
- RE: Port-Knocking vulnerabilities? nobledark (Dec 28)
- Re: Port-Knocking vulnerabilities? Jay (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- Re: Port-Knocking vulnerabilities? Robert Inder (Dec 31)
- Re: Port-Knocking vulnerabilities? Goldstein101 (Dec 31)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- RE: Port-Knocking vulnerabilities? Tom Corelis (Dec 28)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
- Re: Port-Knocking vulnerabilities? Brent Huston (Dec 31)
- RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)