Security Basics mailing list archives

RE: Port-Knocking vulnerabilities?

From: "Sean Tindall" <sean () bulletproofnetworks ca>
Date: Fri, 28 Dec 2007 12:08:29 -0700

The knock itself could be a password though too.  The knock could
consist of several port connections, in (the correct) sequence, to an
arbitrary list of ports, before the service you actually want access to
becomes available - but to only the IP address that initiates the knock.

There might even be a way to someone to an OTP scheme with port
knocking, where the sequence of ports to knock is different every time.
All kinds of cool possibilities.

sT


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Friday, December 28, 2007 11:42 AM
To: security-basics () securityfocus com
Subject: Re: Port-Knocking vulnerabilities?

On 2007-12-28 Kappa Alpha Pi Eta wrote:

so I read this thread about port-knocking (altough called "reflexsive
firewalls"). I'd never heard of that and found that to be an very
interesting mechanism. Now I just keep wondering, what an attacker
could possibly do to intrude system secured in such a way. So there
are no open ports at all, also, there's no way the attacker could
access the computer physically or via social engineering. The attacker
knows that a knock-server is running and that there's some daemon
waiting to become accessible (what ever that may be).


Port knocking is not a security but merely an obfuscation measure, as it
just hides services from people who don't know about the measure.

What could a attacker do to somehow get access to that machine?


Knock.

And how can I secure that machine from that kind of attacks.


Just like you would secure it when not using port-knocking:

- Don't have services listening on external interfaces that shouldn't be
  accessible from the outside.
- Keep your system patched.
- Use authentication where applicable.
- Prefer public key authentication over password authentication.
...

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

Port-Knocking vulnerabilities? Kappa Alpha Pi Eta (Dec 28)
- RE: Port-Knocking vulnerabilities? Tom Corelis (Dec 28)
  - RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 28)
  - RE: Port-Knocking vulnerabilities? Sean Tindall (Dec 31)
- Re: Port-Knocking vulnerabilities? T. Shannon Gilvary (Dec 28)
- <Possible follow-ups>
- RE: Port-Knocking vulnerabilities? nobledark (Dec 28)
- Re: Port-Knocking vulnerabilities? Jay (Dec 31)
  - Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
    - Re: Port-Knocking vulnerabilities? Robert Inder (Dec 31)
    - Re: Port-Knocking vulnerabilities? Goldstein101 (Dec 31)
    - RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
    - Re: Port-Knocking vulnerabilities? Ansgar -59cobalt- Wiechers (Dec 31)
    - RE: Port-Knocking vulnerabilities? Craig Wright (Dec 31)
- RE: Port-Knocking vulnerabilities? Jay (Dec 31)

(Thread continues...)