Port knocking challenge

PHD CTF Afterparty 2011

the short notes

Sheridan: Knock, knock.

Ivanova: Who's there?

Sheridan: Kosh.

Ivanova: Kosh who?

Sheridan: Gesundheit. [snickers] 

I thought that was a good one.

Babylon 5

Step by step into the trap

Step 1 Step 2 Step 3 Step 4

Copyright: http://www.portknocking.org/

Task overview

1 box running FreeBSD

1 anonymous FTP server

1 file: traffic.zip->traffic.pcap

Slightly modified cdoor.c by FX of Phenoelit

Traffic.pcap #1

Traffic.pcap #2

Initial state

“Knocked” state

EINDBAZEN solution

#!/usr/bin/python

# sheldon.py

# EINDBAZEN solution to port knocking challenge PHD CTF Quals 2011

 # Import scapy

from scapy.all import *

conf.verb = 0

# Ports

ports = [951, 4826, 9402, 235, 16821, 443, 100]

# Knock twice on every port

for dport in range(0, len(ports)):

    print "[*] Knocking on 192.168.0.5: " , ports[dport]

    ip = IP(dst="192.168.0.5")

    port = 39367

    SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)

    send(SYN) ; print "*KNOCK*"

    port = 39368

    SYN = ip/TCP(sport=port, dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)

    send(SYN) ; print "*KNOCK*"

    print "PENNY"

# Use NMAP for scanning for open ports

# We also use -sV, so nmap connects to the port and get the flag

print "[*] Scanning for open ports using nmap"

subprocess.call("nmap -sS -sV -T4 -p 1024-2048 192.168.0.5", shell=True)

Simple solution

nmap -n -sS -T2 -r -p951 192.168.0.5

nmap -n -sS -T2 -r -p4826 192.168.0.5

nmap -n -sS -T2 -r -p9402 192.168.0.5

nmap -n -sS -T2 -r -p235 192.168.0.5

nmap -n -sS -T2 -r -p16821 192.168.0.5

nmap -n -sS -T2 -r -p443 192.168.0.5

nmap -n -sS -T2 -r -p100 192.168.0.5

nmap -n -sS -T4 -p1024-2048 -sV 192.168.0.5

Why not?

The best way to send the required SYN packets to the system is the use of nmap: ./nmap -sS -T Polite -p<port1>,<port2>,<port3> <target> NOTE: the Polite timing ensures, that nmap sends the packets serial as defined.

FX - cdoor.c

Why not “nmap -n -sS -T2 -r -p951,4826,9402,235,16821,443,100 192.168.0.5”?

Because:

Now “–T Polite” doesn’t ensure sequential transmission of SYN packets

Advantages

Sequence of 3 simple TCP knocks requires 281,474,976,710,656 packets to bruteforce (worst case)

Usually only the IP provided the correct sequence is whitelisted

Simple implementation – less vulnerabilities

Prevents login bruteforce and mass vulnerability exploitation

In some cases may aid in DoS mitigation

Modern implementations allow usage of cryptographic hashes inside knocking sequence (Single Packet Authentication)

Disadvantages

If knocking daemon dies – “system dies”

solved by process monitor daemon

Can be locked out with IP-Spoof

solved by adding crypto-hashes

Dropped packets result in incorrect knock

solved by retransmission

Defense in depth

after all it’s just anotherlayer

The more you know

http://www.phenoelit-us.org/stuff/cd00rdescr.html

- original cdoor.c

http://eindbazen.net/?p=316

- challenge write-up from EINDBAZEN team

http://en.wikipedia.org/wiki/Port_knocking

- basic info (used in this presentation:)

http://www.portknocking.org

– one big port knocking/SPA resource

http://www.aldabaknocking.com/?q=portknocking

– another big port knocking/SPA resource

FIN.

azaitsev@ptsecurity.ru

@arbitrarycode