Александр Зайцев - Port Knocking, short notes
Download as PPT, PDF0 likes1,765 views
This document summarizes a port knocking challenge from the PHD CTF Quals 2011. Port knocking involves sequentially sending SYN packets to closed ports to trigger a service to open a specific port. The challenge involved knocking on 7 ports in the correct order to open an FTP server on another port. Two Python scripts are provided as solutions: one uses Scapy to send the port knocks, while another runs a series of Nmap scans to test the open ports. Advantages and disadvantages of port knocking are also discussed.
![Port knocking challenge
the short notes
Sheridan: Knock, knock.
Ivanova: Who's there?
Sheridan: Kosh.
Ivanova: Kosh who?
Sheridan: Gesundheit. [snickers]
I thought that was a good one.
Babylon 5
PHD CTF Afterparty 2011](https://image.slidesharecdn.com/portknockingshortnotes-120403163113-phpapp02/85/Port-Knocking-short-notes-1-320.jpg)
![EINDBAZEN solution
#!/usr/bin/python
# sheldon.py
# EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011
# Import scapy
from scapy.all import *
conf.verb = 0
# Ports
ports = [951, 4826, 9402, 235, 16821, 443, 100]
# Knock twice on every port
for dport in range(0, len(ports)):
print "[*] Knocking on 192.168.0.5: " , ports[dport]
ip = IP(dst="192.168.0.5")
port = 39367
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
port = 39368
SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
print "PENNY"
# Use NMAP for scanning for open ports
# We also use -sV, so nmap connects to the port and get the flag
print "[*] Scanning for open ports using nmap"
subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)](https://image.slidesharecdn.com/portknockingshortnotes-120403163113-phpapp02/85/Port-Knocking-short-notes-8-320.jpg)
Александр Зайцев - Port Knocking, short notes
- 1. Port knocking challenge the short notes Sheridan: Knock, knock. Ivanova: Who's there? Sheridan: Kosh. Ivanova: Kosh who? Sheridan: Gesundheit. [snickers] I thought that was a good one. Babylon 5 PHD CTF Afterparty 2011
- 2. Step by step into the trap Step 1 Step 2 Step 3 Step 4 Copyright: http://www.portknocking.org/
- 3. Task overview 1 box running FreeBSD 1 anonymous FTP server 1 file: traffic.zip->traffic.pcap Slightly modified cdoor.c by FX of Phenoelit
- 8. EINDBAZEN solution #!/usr/bin/python # sheldon.py # EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011 # Import scapy from scapy.all import * conf.verb = 0 # Ports ports = [951, 4826, 9402, 235, 16821, 443, 100] # Knock twice on every port for dport in range(0, len(ports)): print "[*] Knocking on 192.168.0.5: " , ports[dport] ip = IP(dst="192.168.0.5") port = 39367 SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0) send(SYN) ; print "*KNOCK*" port = 39368 SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0) send(SYN) ; print "*KNOCK*" print "PENNY" # Use NMAP for scanning for open ports # We also use -sV, so nmap connects to the port and get the flag print "[*] Scanning for open ports using nmap" subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)
- 9. Simple solution nmap -n -sS -T2 -r -p951 192.168.0.5 nmap -n -sS -T2 -r -p4826 192.168.0.5 nmap -n -sS -T2 -r -p9402 192.168.0.5 nmap -n -sS -T2 -r -p235 192.168.0.5 nmap -n -sS -T2 -r -p16821 192.168.0.5 nmap -n -sS -T2 -r -p443 192.168.0.5 nmap -n -sS -T2 -r -p100 192.168.0.5 nmap -n -sS -T4 -p1024-2048 -sV 192.168.0.5
- 10. Why not? Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”? Because: The best way to send the required SYN packets to the system is the use of nmap: ./nmap -sS -T Polite -p<port1>,<port2>,<port3> <target> NOTE: the Polite timing ensures, that nmap sends the packets serial as defined. FX - cdoor.c Now “–T Polite” doesn’t ensure sequential transmission of SYN packets
- 11. Advantages Sequence of 3 simple TCP knocks requires 281,474,976,710,656 packets to bruteforce (worst case) Usually only the IP provided the correct sequence is whitelisted Simple implementation – less vulnerabilities Prevents login bruteforce and mass vulnerability exploitation In some cases may aid in DoS mitigation Modern implementations allow usage of cryptographic hashes inside knocking sequence (Single Packet Authentication)
- 12. Disadvantages If knocking daemon dies – “system dies” solved by process monitor daemon Can be locked out with IP-Spoof solved by adding crypto-hashes Dropped packets result in incorrect knock solved by retransmission
- 14. The more you know http://www.phenoelit-us.org/stuff/cd00rdescr.html - original cdoor.c http://eindbazen.net/?p=316 - challenge write-up from EINDBAZEN team http://en.wikipedia.org/wiki/Port_knocking - basic info (used in this presentation:) http://www.portknocking.org – one big port knocking/SPA resource http://www.aldabaknocking.com/?q=portknocking – another big port knocking/SPA resource
- 15. FIN. azaitsev@ptsecurity.ru @arbitrarycode