1. Port knocking challenge
the short notes
Sheridan: Knock, knock.
Ivanova: Who's there?
Sheridan: Kosh.
Ivanova: Kosh who?
Sheridan: Gesundheit. [snickers]
I thought that was a good one.
Babylon 5
PHD CTF Afterparty 2011

2. Step by step into the trap
Step 1 Step 2 Step 3 Step 4
Copyright: http://www.portknocking.org/

3. Task overview
1 box running FreeBSD
1 anonymous FTP server
1 file: traffic.zip->traffic.pcap
Slightly modified cdoor.c by FX of Phenoelit

4. Traffic.pcap #1

5. Traffic.pcap #2

6. Initial state

7. “Knocked” state

8. EINDBAZEN solution
#!/usr/bin/python
# sheldon.py
# EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011
# Import scapy
from scapy.all import *
conf.verb = 0
# Ports
ports = [951, 4826, 9402, 235, 16821, 443, 100]
# Knock twice on every port
for dport in range(0, len(ports)):
print "[*] Knocking on 192.168.0.5: " , ports[dport]
ip = IP(dst="192.168.0.5")
port = 39367
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
port = 39368
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
print "PENNY"
# Use NMAP for scanning for open ports
# We also use -sV, so nmap connects to the port and get the flag
print "[*] Scanning for open ports using nmap"
subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)

9. Simple solution
nmap -n -sS -T2 -r -p951 192.168.0.5
nmap -n -sS -T2 -r -p4826 192.168.0.5
nmap -n -sS -T2 -r -p9402 192.168.0.5
nmap -n -sS -T2 -r -p235 192.168.0.5
nmap -n -sS -T2 -r -p16821 192.168.0.5
nmap -n -sS -T2 -r -p443 192.168.0.5
nmap -n -sS -T2 -r -p100 192.168.0.5
nmap -n -sS -T4 -p1024-2048 -sV 192.168.0.5

10. Why not?
Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”?
Because:
The best way to send the required SYN packets to the system is the use of nmap:
./nmap -sS -T Polite -p<port1>,<port2>,<port3> <target>
NOTE: the Polite timing ensures, that nmap sends the packets serial as defined.
FX - cdoor.c
Now “–T Polite” doesn’t ensure sequential transmission of SYN packets

11. Advantages
Sequence of 3 simple TCP knocks requires
281,474,976,710,656 packets to bruteforce (worst
case)
Usually only the IP provided the correct sequence
is whitelisted
Simple implementation – less vulnerabilities
Prevents login bruteforce and mass vulnerability
exploitation
In some cases may aid in DoS mitigation
Modern implementations allow usage of
cryptographic hashes inside knocking sequence
(Single Packet Authentication)

12. Disadvantages
If knocking daemon dies – “system dies”
solved by process monitor daemon
Can be locked out with IP-Spoof
solved by adding crypto-hashes
Dropped packets result in incorrect knock
solved by retransmission

13. Defense in depth
after
all
it’s
just
another
layer

14. The more you know
http://www.phenoelit-us.org/stuff/cd00rdescr.html
- original cdoor.c
http://eindbazen.net/?p=316
- challenge write-up from EINDBAZEN team
http://en.wikipedia.org/wiki/Port_knocking
- basic info (used in this presentation:)
http://www.portknocking.org
– one big port knocking/SPA resource
http://www.aldabaknocking.com/?q=portknocking
– another big port knocking/SPA resource

15. FIN.
azaitsev@ptsecurity.ru
@arbitrarycode