Hybrid Port Knocking

7/31/2019 Hybrid Port Knocking

1/16

- Prasanna Kambham


2/16

Introduction

Hybrid port knocking uses three concepts,they are port knocking(PK),steganography, mutual authentication, So it

is referred as the Hybrid Port Knocking(HPK)

HPK is used for host authentication inorder to make local services invisible from

port scanning and providing an extra layerof security which attackers must crossbefore access or breaking important

information


3/16

Why Port Knocking ?

Firewall is a good solution but they canonly provide control based on IP and someother characteristics. It can only see IPaddresses and its characteristics but not auser-name and password. So firewall canbe considered as first level of security.

There are common attacks against whichfirewalls cannot protect. For exampleFirewalls cannot protect against exploitingbugs in application level software.


4/16

What is Port Knocking

PK is a method of externally opening ports on afirewall by generating a connection attempt on aset of pre-specified closed ports. Once a correctsequence of connection attempts is received, Thefirewall rules are dynamically modified to allow the

host which sent the connection attempts toconnect over specific port(s).

The PK server checks the sequence of incomingpackets, if they are in the correct order that theclient and server have agreed on, the PK server

informs the firewall to open port 22 (SSH) to theclient requesting the service.


5/16

Problem with Pocket Knocking

The problem today in the world is full ofsecurity threats, it should be assumed thatall traffic is monitored by an unknown third

party as it travels across a network The knock sequence can be passively

observed by an eavesdropping person inthe middle of our connection and just

replays the knock sequence to get thesame response from the server. Thisproblem is called TCP replay attack.


6/16

Solution for PK problem

The solution is the knock sequence shouldnot be re-playable. Any host connected tothe Internet needs to be secured againstunauthorized intrusion and other attack.

The most obvious way to limit access is torequire users to authenticate themselvesbefore granting them access.

Single packet authentication (SPA), or usea lightweight concealment protocol can beused for port authentication.


7/16

Most of the packet authentication suffer from either one ormore of the following problems

0-day attacks. The sequence replay attack.

Minimal data transmission rate.

Knock sequences and port scans.

Knock sequence busting with spoofed packets. Failure if a client is behind a NATed network.

Failure if packets are received/delivered in out of order.

A lack of association between authentication andconnections being opened

Flaws in how cryptography is applied to provideauthentication.

Data extraction from eavesdropped packets.


8/16

Hybrid Pocket Knocking Technique

HPK technique consists of seven main steps:1. Traffic monitoring : PK server is installedbehind the network firewall, as shown in Fig,monitoring and checking traffic at firewall


9/16

2. Traffic capturing: The PK server capturesonly the traffic holding a payload (image) for

further processing, as shown in Fig.


10/16

3. Image processing: The PK server extractsthe payload (image) from the received packet .

This step checks if the payload containsinformation that demands firewall to open port orrun commands that needs further authentication.


11/16

4. Client authentication: After the PK servermakes sure that the payload was carrying an

intended request, it needs to make sure that itis communicating with the correct client, so ittakes a random number and encrypts it usingthe clients public key and sends it as a payload

to the client.5. Server authentication: The client nowreceives the packet carrying the encrypted

payload, extracts it and decrypts it using theservers public key. Then the client sends therandom number as a payload back to the PKserver to ensure its identity.


12/16

6. Proving the identity of the client: receives thereply from the client to its random number check.The server extracts the payload and checks if the

received message holds the same number as theone randomly generated and sent to the client.

7. Port closing: Finally, in this step, after the taskis completed, either the client informs the PKserver to close the port, or the PK server decidesto close the opened port after specified silentperiod on that open port. In any of these twocases, the PK server demands firewall to close the

open port. In this case, if the client wants to accessthe system again, it needs to initiate new access orauthentication request, i.e., start from phase #1.


13/16

Conclusions

The HPK technique is immune to a TCP replayattack, because it uses cryptography andSteganography within the TCP payload, and mutualauthentication to authenticate both parties together.

The HPK technique is immune to a denial-ofservice

(DoS) attack, because it has a built in detectionsystem with the ability to countermeasure againsthosts causing such attacks

The HPK technique is much more secure than the

traditional PK (TPK) and the single packetauthentication (SPA) techniques, because solvedproblems that others failed in.


14/16

The communication protocol used is a simplesecure encryption scheme that uses GnuPG

keys with Steganography constructions The HPK technique is implemented using

threads technology in case more HPKprocesses are needed (i.e., more clients

requests are received).

The HPK technique is highly configurable tosuite network needs.

The HPK technique is completely opensource, and uses GNU General publiclicense version 3 (GPL3).


15/16

References

B. Rudis. The Enemy Within: Firewalls and Back doors. Security focus, June 2003. Available athttp://www.symantec.com/connect/articles/enemy-within firewalls-and-back doors.

W. Sonnenreich, and T. Yates. Building Linux and Open BSD Firewalls, Wiley, New York, 2000.

A. Tongaonkar, A. Tongaonkar, N. Inamdar, and R. Sekar. Inferring Higher Level Policies fromFirewall Rules. Proceedings of 21st Large Installation System Administration Conference (LISA'07), USENIX Association, pp. 17-26, Dallas, USA, November 2007

J. Song, H. Takakura, and Y. Kwon, A Generalized Feature Extraction Scheme to Detect 0-DayAttacks via IDS Alerts Proceedings of the 2008 International Symposium on Applications and the

Internet - Volume 00, IEEE Computer Society Washington, DC, USA Ali Hussein, 2010, "A Hybrid Port-Knocking Technique for Host Authentication", Ph. D. Thesis,

University of Banking and Financial Sciences.

Python Programming Language http://www.python.org/

Fedora GNU/Linux Operating System https://fedoraproject.org/wiki/Fedora_Project_Wiki,

Wireshark, Network Protocol Analyzer http://wireshark.org.

tcpreplay, Replay captured network traffic, http://tcpreplay.synfin.net/trac/

Gordon Lyon (aka Fyodor Vaskovichr), Nmap ("Network Mapper") utility for network explorationor security auditing, Phrack Magazine, Vol. 7

Krzywinski, M. 2003. Port Knocking: Network Authentication Across Closed Ports. SysAdminMagazine 12: 12-17.


16/16

THANK YOU

Hybrid Port Knocking

Documents

Transcript of Hybrid Port Knocking