Re: an anternative to port-knoking using the OpenBSD pf only

[poplix <poplix () papuasia org>]

Jerry, maybe you are right but I think p0f is able to detect such  
modification, this is
from p0f documentation:

 NOTE: Some NAT devices, such as Linux iptables with --set-mss, will
 modify MSS, but not WSS. As a result, MSS is changed to reflect
 the MTU of the NAT device, but WSS remains a multiple of the original
 MSS. Fortunately for us, the source device would almost always be
 hooked up to Ethernet. P0f handles it automatically for the original
 MSS of 1460, by adding "NAT!" tag to the result.

So I think that  firewalls with packet-normalization only can fake os
fingerprinting (as described in p0f docs).
I dont know if there are other circumstances when a natting device  
will change
syn's header values.



I've also something to add to my prev post:
If pf is configured to drop (not reject) SYNs (or if our kernel drops  
RSTs) it's
possible to perform this kind of *authenication* without a real  
packet rewriting
software. In fact it's not necessary that our original syn (the one  
generated by
the kernel) avoids reaching its destination due to the firewall drop.  
It's
sufficent a tool that sniffs our syn, applys the adjustment needed  
and then
resends it. Doing that we'll have two SYNs per connection, the first is
generated by the kernel and the second is a rewrite of the first one  
and will
match the p0f signature.
Anyway it'll result in a dirty and sospicious handshake and possibly  
it'll add
entries to logfiles. The big advantage is that the rest of the tcp  
stream is
totally independent from any supplementary code, in fact tools like  
tripp or
fragroute need to rewrite the entire tcp stream (otherwise it's  
possible to kill
such tools after the connection is estabilished and restart them when  
a new
connection is needed).

A proof-of-concept is available at
http://tripp.dynalias.org/authsyn.tgz

poplix


On 24 Jan 2006, at 5:21 PM, Shenk, Jerry A wrote:

> Another problem (challenge;) would be gaining access from behind a
> NATting device.  Sometimes, they'll modify the headers and make the
> packets look like they originated on the NATting device.  Some fields
> would probably work better than others.
>
>
> On Mon, Jan 23, 2006 at 10:44:52PM +0100, poplix wrote:
> > Hi there,
> >
> > I wish to propose an alternative to port knoking that uses the native
> > OpenBSD's pf code only. The idea is to  use the pf's passive os
> > fingerprinter to authenticate initial SYN packets.
> > With a tool (or kernel patch) able to rewrite packets header is  
> > possible
> > to use a specific sequence of header fields as a key to validate
> > packets.
>
> This is an interesting - albeit not exactly new - idea, but it has the
> very real disadvantage over port knocking that it requires priviliges
> (typically root) on the connecting host.
>
>                 Joachim


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------