Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle

Implementing a Port Knocking Implementing a Port Knocking System in CSystem in C

Honors Thesis DefenseHonors Thesis Defense

by Matt Doyleby Matt Doyle

Layered system securityLayered system security

• Password-protected loginsPassword-protected logins• Software and hardware firewallsSoftware and hardware firewalls• Intrusion detection systemsIntrusion detection systems• Patching existing softwarePatching existing software• Disabling unnecessary servicesDisabling unnecessary services

Layered system securityLayered system security

• Password-protected loginsPassword-protected logins• Software and hardware firewallsSoftware and hardware firewalls• Intrusion detection systemsIntrusion detection systems• Patching existing softwarePatching existing software• Disabling unnecessary servicesDisabling unnecessary services• Port KnockingPort Knocking

Network CommunicationNetwork Communication

Sending data to a remote system Sending data to a remote system requires that system’s IP addressrequires that system’s IP address


A port number is then needed to A port number is then needed to direct the data to the destination direct the data to the destination application application


Ports which have applications Ports which have applications “listening” for data on them will “listening” for data on them will appear open to remote machines. appear open to remote machines.


Ports without running applications Ports without running applications will appear closed to remote will appear closed to remote machines. machines.

FirewallsFirewalls

Firewalls act as a “first line of Firewalls act as a “first line of defense” for these incoming data defense” for these incoming data packets. packets.

FirewallsFirewalls

If a firewall is allowing traffic on If a firewall is allowing traffic on our destination port, then our data our destination port, then our data packets will proceed as usual...packets will proceed as usual...

FirewallsFirewalls

However, if the firewall is blocking this However, if the firewall is blocking this port, our data will be rejected, even if a port, our data will be rejected, even if a service is running.service is running.

Why block ports?Why block ports?

• System intrusions are often the System intrusions are often the result of malicious users result of malicious users exploiting flaws in running exploiting flaws in running services (i.e. MSBlaster)services (i.e. MSBlaster)

• By only allowing trusted users By only allowing trusted users access to these services (by access to these services (by way of a firewall), we can way of a firewall), we can decrease the chances of these decrease the chances of these services being exploited.services being exploited.

Port KnockingPort Knocking

• Hides services running on Hides services running on server machineserver machine



• Blocks ports, yet still allows Blocks ports, yet still allows communication across the communication across the firewallfirewall



• Blocks ports, yet still allows Blocks ports, yet still allows communication across the communication across the firewallfirewall

• Enables remote manipulation of Enables remote manipulation of firewall rules by authenticated firewall rules by authenticated usersusers

Port Knocking: SetupPort Knocking: Setup

• Configure firewall rules to Configure firewall rules to block access to services you block access to services you wish to be hiddenwish to be hidden

• Configure firewall software to Configure firewall software to log all connection attempts to log all connection attempts to closed portsclosed ports

Port Knocking: Communication Port Knocking: Communication Across a FirewallAcross a Firewall

• Communication with the server Communication with the server will be in the form of log file will be in the form of log file entriesentries

• Data will be encoded within a Data will be encoded within a sequence of connection attemptssequence of connection attempts

• Server side of our port Server side of our port knocking system will decrypt knocking system will decrypt the data in these entries and the data in these entries and act on itact on it

Port Knocking: Remote Firewall Port Knocking: Remote Firewall ManipulationManipulation

• Decrypted log entries will Decrypted log entries will provide our server with the provide our server with the information it needs to open a information it needs to open a specific port in our firewallspecific port in our firewall

• Server then opens the port of Server then opens the port of our choosing to traffic from an our choosing to traffic from an IP address of our choosingIP address of our choosing

The Client Side: knockcThe Client Side: knockc

What the client does:What the client does:• Prompts user for all necessary Prompts user for all necessary informationinformation

• Takes this information and Takes this information and constructs an encrypted constructs an encrypted sequence of port numberssequence of port numbers

• Makes connection attempts with Makes connection attempts with each of these ports on the each of these ports on the specified remote hostspecified remote host


Prompts user for the following information:Prompts user for the following information:• Source machine to allow through the Source machine to allow through the firewallfirewall

• Destination machine we wish to connect toDestination machine we wish to connect to• Port we wish to connect onPort we wish to connect on• Offset value to be added to each port Offset value to be added to each port knock (more on this later)knock (more on this later)

• An “action value,” which indicates whether An “action value,” which indicates whether we wish to open or close the remote portwe wish to open or close the remote port

• An encryption passwordAn encryption password

With these values, our client is ready to With these values, our client is ready to construct our knock sequenceconstruct our knock sequence


For the purposes of this example, For the purposes of this example, we will assume that our machine we will assume that our machine at 130.184.92.77 wishes to open at 130.184.92.77 wishes to open port 22 (SSH) on machine port 22 (SSH) on machine 10.20.30.40, using an offset of 10.20.30.40, using an offset of 2000. Our encryption password 2000. Our encryption password will be “topsecret”will be “topsecret”


Information is encoded into 8 bytes Information is encoded into 8 bytes (Blowfish encrypts data which is a (Blowfish encrypts data which is a multiple of 8 bytes in size)multiple of 8 bytes in size)


• Our source IP has 4 values, each Our source IP has 4 values, each with a range of 0-255with a range of 0-255

• We can therefore convert each of We can therefore convert each of these 4 values to a single 1-byte these 4 values to a single 1-byte character:character:

130 = ‘é’130 = ‘é’184 = ‘╕’184 = ‘╕’92 = ‘\’92 = ‘\’77 = ‘M’77 = ‘M’


These 4 bytes compose the first half These 4 bytes compose the first half of our 8 byte stringof our 8 byte string


• Our port number has a range of 0-Our port number has a range of 0-65,535, making it a 2-byte value.65,535, making it a 2-byte value.

• This value is broken up into it’s This value is broken up into it’s upper byte and lower byte.upper byte and lower byte.

22221010 = 00000000 00010110 = 00000000 0001011022

000000000000000022 = NUL (control character) = NUL (control character)

000101100001011022 = SYN (control character) = SYN (control character)


Now we have the next 2 bytes of our Now we have the next 2 bytes of our stringstring


Finally, byte 7 contains our action Finally, byte 7 contains our action value (Open = 1). Byte 8 is value (Open = 1). Byte 8 is currently unused and is set to 0.currently unused and is set to 0.


This 8-byte string is then encrypted This 8-byte string is then encrypted using the Blowfish encryption using the Blowfish encryption algorithmalgorithm






Each character in the encrypted Each character in the encrypted string is then converted back into a string is then converted back into a 0-255 range integer0-255 range integer






Finally, we add our offset value. Finally, we add our offset value. This dictates which range of 256 This dictates which range of 256 consecutive ports our knocks will consecutive ports our knocks will fall uponfall upon






The client will now attempt to The client will now attempt to connect to each of these ports, in connect to each of these ports, in order, on the remote machine we order, on the remote machine we specified (10.20.30.40)specified (10.20.30.40)

The Server Side: knockdThe Server Side: knockd

What the server does:What the server does:• Monitors system log file for changesMonitors system log file for changes• Retrieves and stores knock sequences Retrieves and stores knock sequences from relevant log entriesfrom relevant log entries

• Decrypts completed knock sequencesDecrypts completed knock sequences• Modifies firewall using information Modifies firewall using information extracted from these knock sequencesextracted from these knock sequences


Prompts user for the following Prompts user for the following information:information:

• Offset value to be subtracted Offset value to be subtracted from each port knockfrom each port knock

• The encryption passwordThe encryption password


Server begins by taking an MD5 Server begins by taking an MD5 hash of the log file. This hash hash of the log file. This hash is a 16 byte “digital is a 16 byte “digital fingerprint” of the data in the fingerprint” of the data in the file.file.

Example:Example:MD5(/var/log/messages) =MD5(/var/log/messages) =fff195ccfac240a55b855bb4d1d8ce59fff195ccfac240a55b855bb4d1d8ce59


When this hash changes, we know When this hash changes, we know that data has been appended to that data has been appended to our log file. The server then our log file. The server then searches the appended data for searches the appended data for entries such as these:entries such as these:


Apr 13 03:10:39 planb /kernel: Connection attempt to Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003TCP 10.20.30.40:2018 from 130.184.92.77:3003









When the server finds such When the server finds such entries, it extracts two pieces entries, it extracts two pieces of information:of information:

Apr 13 03:10:39 planb /kernel: Apr 13 03:10:39 planb /kernel: Connection attempt to TCP Connection attempt to TCP 10.20.30.40:2018 from 10.20.30.40:2018 from 130.184.92.77:3003130.184.92.77:3003


The port that our client is The port that our client is attempting to connect to...attempting to connect to...



The port that our client is The port that our client is attempting to connect to...attempting to connect to...



...and the IP address of the ...and the IP address of the machine that is trying to machine that is trying to connect.connect.



...and the IP address of the ...and the IP address of the machine that is trying to machine that is trying to connect.connect.



Once we have a complete set of 8 Once we have a complete set of 8 knocks from the same host, we knocks from the same host, we are ready to decrypt:are ready to decrypt:




















The server has reassembled the knock The server has reassembled the knock sequence created by the client. sequence created by the client. First, it must subtract our port First, it must subtract our port offset from each knock...offset from each knock...






The original values are then The original values are then converted into their corresponding converted into their corresponding characters...characters...






We now have the character string that We now have the character string that resulted from the encryption done by resulted from the encryption done by the client side.the client side.


Using the password that the server is Using the password that the server is initialized with, we can decrypt initialized with, we can decrypt this string to obtain the original this string to obtain the original character string.character string.






With this original string, we can With this original string, we can then convert each character to its then convert each character to its corresponding integer value.corresponding integer value.






We have now successfully decrypted We have now successfully decrypted the information stored in a sequence the information stored in a sequence of connection attempts, and are left of connection attempts, and are left with the data input by the user on with the data input by the user on the client side.the client side.


The server then uses this information The server then uses this information to modify the firewall...to modify the firewall...



OpenOpen



OpenOpen



Open port 22Open port 22



Open port 22Open port 22



Open port 22 to IP 130.184.92.77Open port 22 to IP 130.184.92.77



Open port 22 to IP 130.184.92.77Open port 22 to IP 130.184.92.77


The server then frees all memory The server then frees all memory allocated to this particular allocated to this particular knock sequence, and returns to knock sequence, and returns to its task of monitoring the log its task of monitoring the log file for changes.file for changes.

Final ThoughtsFinal Thoughts


• ““Security through obscurity”Security through obscurity”


• ““Security through obscurity”Security through obscurity”• Replay attacksReplay attacks


• ““Security through obscurity”Security through obscurity”• Replay attacksReplay attacks• Denial of Service attacksDenial of Service attacks


• ““Security through obscurity”Security through obscurity”• Replay attacksReplay attacks• Denial of Service attacksDenial of Service attacks• Log file pollutionLog file pollution


• ““Security through obscurity”Security through obscurity”• Replay attacksReplay attacks• Denial of Service attacksDenial of Service attacks• Log file pollutionLog file pollution• Allowing indirect accessAllowing indirect access


• ““Security through obscurity”Security through obscurity”• Replay attacksReplay attacks• Denial of Service attacksDenial of Service attacks• Log file pollutionLog file pollution• Allowing indirect accessAllowing indirect access• Extended functionality, not Extended functionality, not just firewall manipulationjust firewall manipulation


• ““Clean byte”Clean byte”


• ““Clean byte”Clean byte”• Open source softwareOpen source software

Documents

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle