Port Knocking, a charming security through obscurity protection

-
This post is a short analysis of the idea behind port knocking, the reasons why it provides a layer of security to systems and its limits when it comes to usability.
Introduction
A subset of network services is meant to be accessible only by few authorized users (mainly system administrators). Services like SSH, web administrative panels, (S)FTP are often the most targeted because, if exploited, may allow an attacker to gain a foothold in the system. Even information disclosure of running processes, username enumerations and similar actions can allow an attacker to collect enough information to plan more targeted and harmful attacks.

At this point port knocking comes in as a niche solution to conceal this type of network services from massive Internet scanner (e.g. Shodan).
It also comes handy for protecting critical network services in the scenario that another host of the intranet have already been compromised and leveraged as pivots.

Port knocking as a positive security through obscurity solution
Even if port knocking shields network services with a 'security through obscurity' mechanism, it does not introduce new security issues in addition to the ones that may already threaten the software under its protection. For example, an attacker that bypasses this mechanism has still to exploit the embedded authentication layer that the targeted service provides.

An overview of common implementations
Most of port knocking implementations consist in hiding the ports associated with a process behind a firewall until a predetermined sequence of network events takes place. For example, when the correct sequence of knocked ports is registered in the log files, the firewall turns the target port to state 'open' and the shielded service is now reachable.
Such solutions often rely on root privileges and are mostly designed to work for iptables (no cross-platform compatibility).

Common security issues in port knocking implementations
The above implementations suffer from replay attacks. Id Est, an attacker that sniffs the knocking sequence can reproduce the same order of packets to unblock the target service. Another common problem is that once the designated port is in state 'open', unexpected connection to this port might be established by unauthorized IPs.

An overview of modern implementations
To address the above problems, some port knocking solutions started to use additional features such as cryptography and IP whitelisting.
Moreover, clever implementations close the port as soon as a TCP connection is established. In this way the service exposure is furthermore reduced.


For more details please have a look at  http://portknocking.org/, where a very good list of implementations has been collected over the years.

knockandgo
I have developed 'knockandgo', my own implementation of port knocking.
During the design phase of the overall architecture and behaviour of the software, I took some decisions, recapped below:
  1. Cross-platform (for both clients and server instances) compatibility
  2. Lightweight, easy to setup and use
  3. Configurable timeouts
  4. Does not rely on monitoring logs data
  5. Does not require root/administrator privileges to accomplish its task
  6. IP spoofing mitigation acquired through both IP whitelisting and the native presence of 'non-guessable' initial sequence numbers in TCP packets
  7. Reply attack mitigation by the presence of a timestamp in knock requests
  8. Integrity check to mitigate tampering attempts
  9. Hard to fingerprint thanks to the encrypted traffic and a UDP random port to listen on
To satisfy conditions 1), 4), 5) and 9), I decided that the better way to accomplish this is to integrate the concept of port knocking with the one of port forwarding. In fact, when most software just unblocks the target port, knockandgo dynamically instantiates TCP local forwarding processes that listen on random ports and connect the authorized user with the target service.

knockandgo source code and usage examples are available at the following repository.

Conclusion
Port knocking provides a simple and valuable mechanism.
However, due to its setup and usability overhead, its adoption is best suited for network administrators or security professionals that want to access remotely some network services but, at the same time, are in need of hiding their presence.
Obviously, servers cannot rely only on this approach and firewall solutions play the big part in securing the network perimeter.

References
http://portknocking.org/
https://moxie.org/software/knockknock/
https://github.com/giuliocomi/knockandgo



Comments

Post a Comment

Popular posts from this blog

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

-
Image
Novel Accessibility Feature Abuse technique While investigating Ease of Access options in Windows 10 for new persistence techniques, I have actually found an undocumented one via 'Provide Narrator feedback' functionality. Behind the scenes the Narrator feedback consists in launching the custom handler via URI scheme ‘feedback-hub’. However, in a post exploitation scenario is possible to trivially backdoor this component with fileless payloads hosted in the registry. Even if there is no security boundary between windows logon screen and the default user desktop (indeed both part of the same window station WinSta0) the possibility of the interaction between the Narrator instance running in the environment of the locked out users and the Windows logon screen opens the chance to trigger the malicious command defined in the registry as soon as the 'Provide Narrator feedback' combination keys are pressed in the latter context. The novel technique presented in this arti
Read more

WPA2-PSK vs WPA2-Enterprise: hacking and hardening

-
Image
This post has the aim to summarise the security aspects of WPA2, with a focus on WPA2-Enterprise hacking. At the end, EAP-TLS is presented as a pretty secure implementation. WPA2 in brief The Wi-Fi Protected Access is a wireless technology designed to secure the communiciations between stations and the Access Point from eavesdropping and tampering attacks. It is defined in 802.11i standard and has been adopted in home, small business (WPA2-Personal) and enterprises (WPA2-Enterprise) since 2004.  The WPA2 implementation is based on the 4-way handshake. The PMK (pairwise master key) is the value that both station and AP know and from which the PTK (pairwise transient key) is calculated and valid for the session. The station MAC, the AP MAC and two nonces (A-Nonce, S-Nonce) that are exchanged during the 4-way handshake are also part of the PTK generation process. From an offensive point of view, capturing the messages of the 4-way handshake that are transm
Read more

Management Frame Protection and its limitations

-
Image
In this article we talk about management frames, their exposure to Denial of Service (DoS) via de-authentication attack, how Management Frames Protection can prevent this and its limitations against other DoS attacks discovered during the years by security researchers. A brief overview of Management Frames Management frames are at the centre of the WLAN operability and also have an important role in the negotiation activity between an access point and its stations. Code Field (Wireshark filter) Subtype 0x00 Association Request 0x01 Association Response 0x02 Re-Association Request 0x03 Re-Association Response 0x04 Probe Request 0x05 Probe Response 0x06 Reserved 0x07 Reserved 0x08 Beacon 0x09 ATIM 0x0a Disassociation 0x0b Authentication 0x0c Deauthentication 0x0d Actio
Read more