Penetration Testing mailing list archives
Re: an anternative to port-knoking using the OpenBSD pf only
From: poplix <poplix () papuasia org>
Date: Mon, 13 Feb 2006 16:43:57 +0100
Jerry, maybe you are right but I think p0f is able to detect such modification, this is
from p0f documentation: NOTE: Some NAT devices, such as Linux iptables with --set-mss, will modify MSS, but not WSS. As a result, MSS is changed to reflect the MTU of the NAT device, but WSS remains a multiple of the original MSS. Fortunately for us, the source device would almost always be hooked up to Ethernet. P0f handles it automatically for the original MSS of 1460, by adding "NAT!" tag to the result. So I think that firewalls with packet-normalization only can fake os fingerprinting (as described in p0f docs).I dont know if there are other circumstances when a natting device will change
syn's header values. I've also something to add to my prev post:If pf is configured to drop (not reject) SYNs (or if our kernel drops RSTs) it's possible to perform this kind of *authenication* without a real packet rewriting software. In fact it's not necessary that our original syn (the one generated by the kernel) avoids reaching its destination due to the firewall drop. It's sufficent a tool that sniffs our syn, applys the adjustment needed and then
resends it. Doing that we'll have two SYNs per connection, the first isgenerated by the kernel and the second is a rewrite of the first one and will
match the p0f signature.Anyway it'll result in a dirty and sospicious handshake and possibly it'll add entries to logfiles. The big advantage is that the rest of the tcp stream is totally independent from any supplementary code, in fact tools like tripp or fragroute need to rewrite the entire tcp stream (otherwise it's possible to kill such tools after the connection is estabilished and restart them when a new
connection is needed). A proof-of-concept is available at http://tripp.dynalias.org/authsyn.tgz poplix On 24 Jan 2006, at 5:21 PM, Shenk, Jerry A wrote:
Another problem (challenge;) would be gaining access from behind a NATting device. Sometimes, they'll modify the headers and make the packets look like they originated on the NATting device. Some fields would probably work better than others. On Mon, Jan 23, 2006 at 10:44:52PM +0100, poplix wrote:Hi there, I wish to propose an alternative to port knoking that uses the native OpenBSD's pf code only. The idea is to use the pf's passive os fingerprinter to authenticate initial SYN packets.With a tool (or kernel patch) able to rewrite packets header is possibleto use a specific sequence of header fields as a key to validate packets.This is an interesting - albeit not exactly new - idea, but it has the very real disadvantage over port knocking that it requires priviliges (typically root) on the connecting host. Joachim
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: an anternative to port-knoking using the OpenBSD pf only poplix (Feb 13)
- <Possible follow-ups>
- Re: an anternative to port-knoking using the OpenBSD pf only gimeshell (Feb 17)
- Re: an anternative to port-knoking using the OpenBSD pf only gimeshell (Feb 17)
- Re: an anternative to port-knoking using the OpenBSD pf only poplix (Feb 20)
- Re: an anternative to port-knoking using the OpenBSD pf only Pete Herzog (Feb 22)
- Re: an anternative to port-knoking using the OpenBSD pf only poplix (Feb 28)
- Defining security measures (Was: an anternative to port-knoking using the OpenBSD pf only) Pete Herzog (Feb 28)
- Re: an anternative to port-knoking using the OpenBSD pf only poplix (Feb 20)