Remote Server Access using Dynamic Port Knocking and Forwarding

1
Remote Server Access using Dynamic Port Knocking
and Forwarding

• Tan Chew Keong, SIG2 Vice-President
• Ching Tim Meng (CISA, CISSP)

2
Agenda of this presentation

• What is port knocking
• Some port knocking implementations
• SIG2s implementation
• Demo
• Uses for port knocking

3
What is Port Knocking?

• Port knocking is a method of establishing a
  connection to a networked computer that has no
  open ports . Before a connection is established,
  ports are opened using a port knock sequence,
  which is a series of connection attempts to
  closed ports. portknock.org

4
What is Port Knocking? (Cont)

• Port knocking is a clever new computer security
  trick. It's a way to configure a system so that
  only systems who know the secret knock can access
  a certain port. Crypto-Gram March
  15, 2004

5
Why Port Knock?

• Most public servers may need to have remote
  management service for administrators to
  administer the servers.
• However, having additional services on hardened
  servers is not a good security practise.
• Unpatched services may be exploited to compromise
  the server.

6
Why Port Knock? (Cont)

• For up-to-date services, no guarantee that
  further vulnerabilities will not be discovered.
• Port knocking may be used to remotely
  enable/disable the service as required (on-demand
  basis).
• Minimizes the exposure time of the additional
  service.

7
How does Port Knocking works?
Step One
Step Three
Step Two
Web Server
Client
Port 80 open
Port 22 open
SSH connection
Pre-defined port knock sequence
8
Some Implementations

• KnockD - A simple port-knocking daemon
• cd00r.c FX
• SAdoor A non listening remote shell and
  execution server by CMN
• portknock Martin Krzywinski

9
KnockD

• http//www.zeroflux.org/knock/
• opencloseSSH
• sequence 2222udp,3333tcp,4444udp
• seq_timeout 15
• tcpflags syn,ack
• start_command /usr/sbin/iptables -A INPUT -s
  IP -p tcp --syn -j ACCEPT
• cmd_timeout 10
• stop_command /usr/sbin/iptables -D INPUT -s
  IP -p tcp --syn -j ACCEPT
• Problem Sequence is hard-coded

10
cd00r.c FX

• http//www.phenoelit.de/stuff/cd00r.c
• POC code uses TCP SYN knocks.
• / the code ports.
• These are the 'code ports', which open (when
  called in the right order) the
• door (read call the cdr_open_door()
  function).
• Use the notation below (array) to specify code
  ports. Terminate the list
• with 0 - otherwise, you really have problems.
• /
• define CDR_PORTS 200,80,22,53,3,00
• Problem Sequence is hard-coded

11
SAdoor

• http//cmn.listprojects.darklab.org
• Comprehensive and well-written port knocking
  implementation.
• Need to pre-configure knock sequence and
  distribute to clients.
• Problem Sequence is STILL hard-coded

12
SAdoor (Cont)

• -- Begin /etc/sadoor/sadoor.pkts
• Key packet 1
• keypkt
• ip
• daddr 192.168.1.4 saddr 192.168.1.1
• icmp
• type 8

• Key packet 2
• keypkt
• ip
• daddr 192.168.1.4 saddr 192.168.1.1 tcp
  
• flags SYN dport 80
• sport 3456

13
portknock

• http//www.portknocking.org/
• Supports encryption of knock packets
• Uses various variables to generate unique knock
  sequence Client IP, destination port, random
  number, second, minute, hour, day, month, year
  and checksum
• The most comprehensive implementation of all
• Problem Encryption key is at server level and
  knock sequence can be long

14
Security issues

• Port knock sequence is a shared secret between
  the client and the server.
• Port knock sequence can be sniffed and replayed.
• All previous mentioned implementations (except
  portknock) used a fixed sequence at SERVER level.
  No unique sequence among users.

15
More security issues

• Need to pre-configure client programs to send the
  right sequence. If the client programs is stolen
  and disassembled
• If a user is no longer trusted, new sequence has
  to be redistributed.
• May need to rely on a large number of knock
  packets to prevent brute-force of the knock
  sequence.
• Consider problem of sending many IP packets over
  Internet and expect them to arrive in the correct
  sequence.

16
Our Implementation

• Our implementation does not rely on sending a
  pre-defined secret sequence of port knocks to
  daemon.
• Instead, each user has a shared password with the
  daemon.
• When user wants to connect to the server, client
  program will generate a random knock sequence and
  declare them to the daemon.

17
Our Implementation (Cont)

• This sequence is encrypted using users password
  hash, and sent them to daemon.
• Users who are no longer trusted can be easily
  removed from the system, i.e. no need to
  redistribute new sequence.
• Port to access hidden service is NOT fixed,
  reduces chance of attack on service.

18
(No Transcript)
19
Design Considerations

• Encryption128-bit AES with MD5 of users
  password hash.
• Dynamic Knock Sequences3 TCP SYN packets.
  Trade-off between using few packets (sequence
  problem) and brute-force attacks. Use both port
  numbers and ISN.

20
Design Considerations (Cont)

• Replay attacksTime stamp in packet P1, P2 and
  P3.
• Computational Resource StarvationDiscard invalid
  packets as early as possible in processing loop.
  But adversary can still replay P1 to cause daemon
  to perform decryption repeatedly.
• Connection from unauthorized IPPort assigned to
  user is not fixed and accepts connections only
  from users IP. Minimizes possibility of
  adversary finding the open port.

21
Implementation

• Daemon listens promiscuously using
  libpcap/winpcap.
• Linux daemon implemented with privilege
  separation.
• Linux client needs to run with suid root, but
  privilege is dropped immediately upon acquiring
  RAW socket.

22
Implementation (Cont)

• Windows daemon runs as service with LOCAL SYSTEM
  privilege (?!?!!!?!) ? It is a feature, not a
  bug.
• Windows client need to run as Administrator to
  use RAW sockets.

23
DEMO

• Linux Daemon with Win32 Client

24
Possible Enhancements

• Certificate-based authentication instead of using
  shared password.Resource starvation attacks need
  to be carefully handled here (modular
  exponentiation is an expensive operation).
• TCP SYN knocks may no longer be required. Daemon
  can act on receiving properly encrypted packets.

25
Possible Enhancements (Cont)

• Port knock TCP wrapper, do not need to
  pre-configure list of allowed IP address.
• Port-knocking with port forwarding at IP layer
  no open ports on internet facing server.

26
Possible Enhancements (Cont)

• Different port knocks send instructions to server
  to execute different programs or applications.
• Server to issue new knock sequence to use for
  next session instead of client choosing their own
  sequence.

27
Questions????

• Any comments, questions or violent objections? ?

28
but wait!

• Is our implementation redundant????
• Not covered in white paper to be announced over
  this talk.
• The problem with our implementation is that

29
Better way

• Example adopted from banking system.
• Client first has a given sequence issued by
  server.
• Client port knock with the unique sequence.
• Server verify sequence, issue client with random
  port and a new unique sequence.
• Unique sequence can be used to identify different
  users.
• CPU-friendly for server.

30
References

• Martin Krzywinski 2003. Port Knocking Network
  Authentication Across Closed Ports. SysAdmin
  Magazine 12 12-17.
• CMN, SAdoor - A non listening remote shell and
  execution server
• FX, cd00r.c
• Judd Vinet, KnockD - A simple port-knocking daemon

31
Feedback

• Feel free to give us feedback _at_
• Chew Keong (chewkeong_at_security.org.sg)
• Tim Meng (cappella_at_mail.com)