Transcript Port Knocking

Benjamin DiYanni
Ports
 A port allows software applications to share hardware resources without
interfering with each other.
 Every service or application that you connect to on the Internet listens on
a particular port. For the application to work correctly it needs to run on
an opened port.
 Open ports pose a security risk of leaving your machine vulnerable to
outside attacks on your network.
Outside Attack
 Hacker takes control of your PC
•
View your passwords for banking, email, etc…
•
Install malware
•
Watch what you are doing on your computer
•
Copy your data and information to their computer
•
Install remote control software to access your machine anytime
•
Use your computer in coordination with other compromised computers to
conduct large scale DDOS attacks
Port Knocking
 Keeps all ports on network closed
 Secret “knock” will open a desired port to run an application or to give user remote
access to their system
•
The “knock” is the failed attempts to access multiple closed ports in a sequence
o Ex: Knocking on closed ports 20, 30, and 40 could open a closed port
 Type of Authentication—The “knock” acts like a password
•
Only legitimate users should know the correct “knock” sequence
•
Must be kept secret among legitimate users
 Restricts Unauthorized Outside Access into network
•
Illegitimate users can not get in without knowing the correct “knock” sequence
The Knock
 For a user to initiate a port knock sequence, all
ports to the machine are closed.
 The client trying to gain access to the port
attempts to establish a connection but fails.
 Client fails to establish access to the port since
all ports have been closed.
The Knock
 User attempting to gain access sends out SYN
packets to the ports.
 Must know the correct order in which to knock
on the ports.
 When this happens the user is not able to
detect if the ports are listening for a knock or
not; the client receives no communication
(ACK) from the server when the knock is
initiated.
 This feature will deter a hacker who would be
expecting to get a response from the server.
The Knock
 The knock sequence is then diverted to a Port
Knocking daemon. This identifies if the correct
ports were knocked on in the correct sequence.
It also decrypts the knock sequence if an
encryption was implemented.
 If the correct sequence was followed then the
user will be given access to the port and all
applications that are running on it.
 A rule is created for that port to allow
connections from that user.
 To close the port the user sends another knock
or specifies a certain amount of time to keep
the port open.
Benefits
 Can completely lock down a system- allowing no external traffic in
 No reply from server with port knocking
•
Malicious hackers cannot detect if a device is listening for port knocks
•
Hacker must assume that port knocking is being used when all ports are closed
 Legitimate user can gain remote control to access system resources
 Authentication information exchange cannot be hacked easily
 Extra layer of security to system
Considerations
Port Knocking is not a complete solution to securing a host and should be
included along side other security countermeasures.
 One concern of port knocking is that it is just a form of “security through
obscurity”
•
Once a hacker notices that all ports are closed on a network he can safely
assume that port knocking is being implemented
•
It is unlikely but not impossible for a hacker to figure out the “knock” sequence
o Hacker would have to randomly knock on ports to try and gain access
with the secret knock all the while not actually certain if port knocking is
even implemented.
 If hacker is successful in determining the knock sequence
•
Can create dormant backdoor
•
Can come back to access port through back door anytime with own secret
knock they create
o Very difficult to tell when a hacker is successful with this.
Considerations
 Automated Firewall creating rules
•
Must ensure that firewall creates ONLY rules you intend for it to make once a port
is opened
 Port knocking should not be used for public servers or services that will be
used by many users.
•
A webserver using port knocking implementation would require every user to
go through a port knocking sequence before they are able to view the webpage
References
http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
https://www.securitymetrics.com/securitythreats_home.adp
http://superuser.com/questions/82488/why-is-it-bad-to-have-open-ports
http://hack-hour.blogspot.com/2012/02/hacking-system-with-openport.html
http://en.wikipedia.org/wiki/Port_knocking
http://www.thegeekstuff.com/2013/10/port-knocking/
http://archive09.linux.com/articles/37888
http://www.portknocking.org/docs/wcsf2003.pdf
http://netsecurity.about.com/gi/o.htm?zi=1/XJ&zTi=1&sdn=netsecurity&
cdn=compute&tm=486&f=10&su=p284.13.342.ip_p504.6.342.ip_&tt=2&
bt=9&bts=9&zu=http%3A//www.linuxjournal.com/article.php%3Fsid%3
D6811
References
http://netsecurity.about.com/gi/o.htm?zi=1/XJ&zTi=1&sdn=netsecurity&cdn
=compute&tm=483&f=10&su=p284.13.342.ip_p504.6.342.ip_&tt=2&bt=9&bt
s=9&zu=http%3A//www.portknocking.org/
http://www.portknocking.org/view/implementations
http://www.min.at/prinz/o/software/port/
http://www.portknocking.org/view/resources
http://www.portknocking.org/docs/krzywinski-portknockingsysadmin2003.pdf
http://portknocking.sourceforge.net/files/Implementing%20a%20Port%20K
nocking%20System%20in%20C.pdf
http://www.linuxjournal.com/article/6811
http://www.giac.org/practical/GSEC/Ben_Maddock_GSEC.pdf
http://software.newsforge.com/software/04/08/02/1954253.shtml