Post on 05-Apr-2018
7/31/2019 Hybrid Port Knocking
1/16
- Prasanna Kambham
7/31/2019 Hybrid Port Knocking
2/16
Introduction
Hybrid port knocking uses three concepts,they are port knocking(PK),steganography, mutual authentication, So it
is referred as the Hybrid Port Knocking(HPK)
HPK is used for host authentication inorder to make local services invisible from
port scanning and providing an extra layerof security which attackers must crossbefore access or breaking important
information
7/31/2019 Hybrid Port Knocking
3/16
Why Port Knocking ?
Firewall is a good solution but they canonly provide control based on IP and someother characteristics. It can only see IPaddresses and its characteristics but not auser-name and password. So firewall canbe considered as first level of security.
There are common attacks against whichfirewalls cannot protect. For exampleFirewalls cannot protect against exploitingbugs in application level software.
7/31/2019 Hybrid Port Knocking
4/16
What is Port Knocking
PK is a method of externally opening ports on afirewall by generating a connection attempt on aset of pre-specified closed ports. Once a correctsequence of connection attempts is received, Thefirewall rules are dynamically modified to allow the
host which sent the connection attempts toconnect over specific port(s).
The PK server checks the sequence of incomingpackets, if they are in the correct order that theclient and server have agreed on, the PK server
informs the firewall to open port 22 (SSH) to theclient requesting the service.
7/31/2019 Hybrid Port Knocking
5/16
Problem with Pocket Knocking
The problem today in the world is full ofsecurity threats, it should be assumed thatall traffic is monitored by an unknown third
party as it travels across a network The knock sequence can be passively
observed by an eavesdropping person inthe middle of our connection and just
replays the knock sequence to get thesame response from the server. Thisproblem is called TCP replay attack.
7/31/2019 Hybrid Port Knocking
6/16
Solution for PK problem
The solution is the knock sequence shouldnot be re-playable. Any host connected tothe Internet needs to be secured againstunauthorized intrusion and other attack.
The most obvious way to limit access is torequire users to authenticate themselvesbefore granting them access.
Single packet authentication (SPA), or usea lightweight concealment protocol can beused for port authentication.
7/31/2019 Hybrid Port Knocking
7/16
Most of the packet authentication suffer from either one ormore of the following problems
0-day attacks. The sequence replay attack.
Minimal data transmission rate.
Knock sequences and port scans.
Knock sequence busting with spoofed packets. Failure if a client is behind a NATed network.
Failure if packets are received/delivered in out of order.
A lack of association between authentication andconnections being opened
Flaws in how cryptography is applied to provideauthentication.
Data extraction from eavesdropped packets.
7/31/2019 Hybrid Port Knocking
8/16
Hybrid Pocket Knocking Technique
HPK technique consists of seven main steps:1. Traffic monitoring : PK server is installedbehind the network firewall, as shown in Fig,monitoring and checking traffic at firewall
7/31/2019 Hybrid Port Knocking
9/16
2. Traffic capturing: The PK server capturesonly the traffic holding a payload (image) for
further processing, as shown in Fig.
7/31/2019 Hybrid Port Knocking
10/16
3. Image processing: The PK server extractsthe payload (image) from the received packet .
This step checks if the payload containsinformation that demands firewall to open port orrun commands that needs further authentication.
7/31/2019 Hybrid Port Knocking
11/16
4. Client authentication: After the PK servermakes sure that the payload was carrying an
intended request, it needs to make sure that itis communicating with the correct client, so ittakes a random number and encrypts it usingthe clients public key and sends it as a payload
to the client.5. Server authentication: The client nowreceives the packet carrying the encrypted
payload, extracts it and decrypts it using theservers public key. Then the client sends therandom number as a payload back to the PKserver to ensure its identity.
7/31/2019 Hybrid Port Knocking
12/16
6. Proving the identity of the client: receives thereply from the client to its random number check.The server extracts the payload and checks if the
received message holds the same number as theone randomly generated and sent to the client.
7. Port closing: Finally, in this step, after the taskis completed, either the client informs the PKserver to close the port, or the PK server decidesto close the opened port after specified silentperiod on that open port. In any of these twocases, the PK server demands firewall to close the
open port. In this case, if the client wants to accessthe system again, it needs to initiate new access orauthentication request, i.e., start from phase #1.
7/31/2019 Hybrid Port Knocking
13/16
Conclusions
The HPK technique is immune to a TCP replayattack, because it uses cryptography andSteganography within the TCP payload, and mutualauthentication to authenticate both parties together.
The HPK technique is immune to a denial-ofservice
(DoS) attack, because it has a built in detectionsystem with the ability to countermeasure againsthosts causing such attacks
The HPK technique is much more secure than the
traditional PK (TPK) and the single packetauthentication (SPA) techniques, because solvedproblems that others failed in.
7/31/2019 Hybrid Port Knocking
14/16
The communication protocol used is a simplesecure encryption scheme that uses GnuPG
keys with Steganography constructions The HPK technique is implemented using
threads technology in case more HPKprocesses are needed (i.e., more clients
requests are received).
The HPK technique is highly configurable tosuite network needs.
The HPK technique is completely opensource, and uses GNU General publiclicense version 3 (GPL3).
7/31/2019 Hybrid Port Knocking
15/16
References
B. Rudis. The Enemy Within: Firewalls and Back doors. Security focus, June 2003. Available athttp://www.symantec.com/connect/articles/enemy-within firewalls-and-back doors.
W. Sonnenreich, and T. Yates. Building Linux and Open BSD Firewalls, Wiley, New York, 2000.
A. Tongaonkar, A. Tongaonkar, N. Inamdar, and R. Sekar. Inferring Higher Level Policies fromFirewall Rules. Proceedings of 21st Large Installation System Administration Conference (LISA'07), USENIX Association, pp. 17-26, Dallas, USA, November 2007
J. Song, H. Takakura, and Y. Kwon, A Generalized Feature Extraction Scheme to Detect 0-DayAttacks via IDS Alerts Proceedings of the 2008 International Symposium on Applications and the
Internet - Volume 00, IEEE Computer Society Washington, DC, USA Ali Hussein, 2010, "A Hybrid Port-Knocking Technique for Host Authentication", Ph. D. Thesis,
University of Banking and Financial Sciences.
Python Programming Language http://www.python.org/
Fedora GNU/Linux Operating System https://fedoraproject.org/wiki/Fedora_Project_Wiki,
Wireshark, Network Protocol Analyzer http://wireshark.org.
tcpreplay, Replay captured network traffic, http://tcpreplay.synfin.net/trac/
Gordon Lyon (aka Fyodor Vaskovichr), Nmap ("Network Mapper") utility for network explorationor security auditing, Phrack Magazine, Vol. 7
Krzywinski, M. 2003. Port Knocking: Network Authentication Across Closed Ports. SysAdminMagazine 12: 12-17.
7/31/2019 Hybrid Port Knocking
16/16
THANK YOU