Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Published byLoraine Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle."— Presentation transcript:

1 Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle

2 Layered system security Password-protected logins Password-protected logins Software and hardware firewalls Software and hardware firewalls Intrusion detection systems Intrusion detection systems Patching existing software Patching existing software Disabling unnecessary services Disabling unnecessary services

3 Layered system security Password-protected logins Password-protected logins Software and hardware firewalls Software and hardware firewalls Intrusion detection systems Intrusion detection systems Patching existing software Patching existing software Disabling unnecessary services Disabling unnecessary services Port Knocking Port Knocking

4 Network Communication Sending data to a remote system requires that system’s IP address

5 Network Communication A port number is then needed to direct the data to the destination application

6 Network Communication Ports which have applications “listening” for data on them will appear open to remote machines.

7 Network Communication Ports without running applications will appear closed to remote machines.

8 Firewalls Firewalls act as a “first line of defense” for these incoming data packets.

9 Firewalls If a firewall is allowing traffic on our destination port, then our data packets will proceed as usual...

10 Firewalls However, if the firewall is blocking this port, our data will be rejected, even if a service is running.

11 Why block ports? System intrusions are often the result of malicious users exploiting flaws in running services (i.e. MSBlaster) System intrusions are often the result of malicious users exploiting flaws in running services (i.e. MSBlaster) By only allowing trusted users access to these services (by way of a firewall), we can decrease the chances of these services being exploited. By only allowing trusted users access to these services (by way of a firewall), we can decrease the chances of these services being exploited.

12 Port Knocking Hides services running on server machine Hides services running on server machine

13 Port Knocking Hides services running on server machine Hides services running on server machine Blocks ports, yet still allows communication across the firewall Blocks ports, yet still allows communication across the firewall

14 Port Knocking Hides services running on server machine Hides services running on server machine Blocks ports, yet still allows communication across the firewall Blocks ports, yet still allows communication across the firewall Enables remote manipulation of firewall rules by authenticated users Enables remote manipulation of firewall rules by authenticated users

15 Port Knocking: Setup Configure firewall rules to block access to services you wish to be hidden Configure firewall rules to block access to services you wish to be hidden Configure firewall software to log all connection attempts to closed ports Configure firewall software to log all connection attempts to closed ports

16 Port Knocking: Communication Across a Firewall Communication with the server will be in the form of log file entries Communication with the server will be in the form of log file entries Data will be encoded within a sequence of connection attempts Data will be encoded within a sequence of connection attempts Server side of our port knocking system will decrypt the data in these entries and act on it Server side of our port knocking system will decrypt the data in these entries and act on it

17 Port Knocking: Remote Firewall Manipulation Decrypted log entries will provide our server with the information it needs to open a specific port in our firewall Decrypted log entries will provide our server with the information it needs to open a specific port in our firewall Server then opens the port of our choosing to traffic from an IP address of our choosing Server then opens the port of our choosing to traffic from an IP address of our choosing

18 The Client Side: knockc What the client does: Prompts user for all necessary information Prompts user for all necessary information Takes this information and constructs an encrypted sequence of port numbers Takes this information and constructs an encrypted sequence of port numbers Makes connection attempts with each of these ports on the specified remote host Makes connection attempts with each of these ports on the specified remote host

19 The Client Side: knockc Prompts user for the following information: Source machine to allow through the firewall Source machine to allow through the firewall Destination machine we wish to connect to Destination machine we wish to connect to Port we wish to connect on Port we wish to connect on Offset value to be added to each port knock (more on this later) Offset value to be added to each port knock (more on this later) An “action value,” which indicates whether we wish to open or close the remote port An “action value,” which indicates whether we wish to open or close the remote port An encryption password An encryption password With these values, our client is ready to construct our knock sequence

20 The Client Side: knockc For the purposes of this example, we will assume that our machine at 130.184.92.77 wishes to open port 22 (SSH) on machine 10.20.30.40, using an offset of 2000. Our encryption password will be “topsecret”

21 The Client Side: knockc Information is encoded into 8 bytes (Blowfish encrypts data which is a multiple of 8 bytes in size)

22 The Client Side: knockc Our source IP has 4 values, each with a range of 0-255 Our source IP has 4 values, each with a range of 0-255 We can therefore convert each of these 4 values to a single 1-byte character: We can therefore convert each of these 4 values to a single 1-byte character: 130 = ‘é’ 184 = ‘╕’ 92 = ‘\’ 77 = ‘M’

23 The Client Side: knockc These 4 bytes compose the first half of our 8 byte string

24 The Client Side: knockc Our port number has a range of 0- 65,535, making it a 2-byte value. Our port number has a range of 0- 65,535, making it a 2-byte value. This value is broken up into it’s upper byte and lower byte. This value is broken up into it’s upper byte and lower byte. 22 10 = 00000000 00010110 2 00000000 2 = NUL (control character) 00010110 2 = SYN (control character)

25 The Client Side: knockc Now we have the next 2 bytes of our string

26 The Client Side: knockc Finally, byte 7 contains our action value (Open = 1). Byte 8 is currently unused and is set to 0.

27 The Client Side: knockc This 8-byte string is then encrypted using the Blowfish encryption algorithm

28 The Client Side: knockc This 8-byte string is then encrypted using the Blowfish encryption algorithm

29 The Client Side: knockc This 8-byte string is then encrypted using the Blowfish encryption algorithm

30 The Client Side: knockc Each character in the encrypted string is then converted back into a 0-255 range integer

31 The Client Side: knockc Each character in the encrypted string is then converted back into a 0-255 range integer

32 The Client Side: knockc Each character in the encrypted string is then converted back into a 0-255 range integer

33 The Client Side: knockc Finally, we add our offset value. This dictates which range of 256 consecutive ports our knocks will fall upon

34 The Client Side: knockc Finally, we add our offset value. This dictates which range of 256 consecutive ports our knocks will fall upon

35 The Client Side: knockc Finally, we add our offset value. This dictates which range of 256 consecutive ports our knocks will fall upon

36 The Client Side: knockc The client will now attempt to connect to each of these ports, in order, on the remote machine we specified (10.20.30.40)

37 The Server Side: knockd What the server does: Monitors system log file for changes Monitors system log file for changes Retrieves and stores knock sequences from relevant log entries Retrieves and stores knock sequences from relevant log entries Decrypts completed knock sequences Decrypts completed knock sequences Modifies firewall using information extracted from these knock sequences Modifies firewall using information extracted from these knock sequences

38 The Server Side: knockd Prompts user for the following information: Offset value to be subtracted from each port knock Offset value to be subtracted from each port knock The encryption password The encryption password

39 The Server Side: knockd Server begins by taking an MD5 hash of the log file. This hash is a 16 byte “digital fingerprint” of the data in the file. Example: MD5(/var/log/messages) = fff195ccfac240a55b855bb4d1d8ce59

40 The Server Side: knockd When this hash changes, we know that data has been appended to our log file. The server then searches the appended data for entries such as these:

41 The Server Side: knockd Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003 Apr 13 03:10:40 planb /kernel: Connection attempt to TCP 10.20.30.40:2074 from 130.184.92.77:3006 Apr 13 03:10:41 planb /kernel: Connection attempt to TCP 10.20.30.40:2102 from 130.184.92.77:3009 Apr 13 03:10:43 planb /kernel: Connection attempt to TCP 10.20.30.40:2210 from 130.184.92.77:3012 Apr 13 03:10:44 planb /kernel: Connection attempt to TCP 10.20.30.40:2232 from 130.184.92.77:3015 Apr 13 03:10:45 planb /kernel: Connection attempt to TCP 10.20.30.40:2206 from 130.184.92.77:3018 Apr 13 03:10:46 planb /kernel: Connection attempt to TCP 10.20.30.40:2235 from 130.184.92.77:3021 Apr 13 03:10:47 planb /kernel: Connection attempt to TCP 10.20.30.40:2053 from 130.184.92.77:3024

42 The Server Side: knockd When the server finds such entries, it extracts two pieces of information: Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003

43 The Server Side: knockd The port that our client is attempting to connect to... Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003

44 The Server Side: knockd The port that our client is attempting to connect to... Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003

45 The Server Side: knockd...and the IP address of the machine that is trying to connect. Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003

46 The Server Side: knockd...and the IP address of the machine that is trying to connect. Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003

47 The Server Side: knockd Once we have a complete set of 8 knocks from the same host, we are ready to decrypt:

48 The Server Side: knockd Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003 Apr 13 03:10:40 planb /kernel: Connection attempt to TCP 10.20.30.40:2074 from 130.184.92.77:3006 Apr 13 03:10:41 planb /kernel: Connection attempt to TCP 10.20.30.40:2102 from 130.184.92.77:3009 Apr 13 03:10:43 planb /kernel: Connection attempt to TCP 10.20.30.40:2210 from 130.184.92.77:3012 Apr 13 03:10:44 planb /kernel: Connection attempt to TCP 10.20.30.40:2232 from 130.184.92.77:3015 Apr 13 03:10:45 planb /kernel: Connection attempt to TCP 10.20.30.40:2206 from 130.184.92.77:3018 Apr 13 03:10:46 planb /kernel: Connection attempt to TCP 10.20.30.40:2235 from 130.184.92.77:3021 Apr 13 03:10:47 planb /kernel: Connection attempt to TCP 10.20.30.40:2053 from 130.184.92.77:3024

49 The Server Side: knockd Apr 13 03:10:39 planb /kernel: Connection attempt to TCP 10.20.30.40:2018 from 130.184.92.77:3003 Apr 13 03:10:40 planb /kernel: Connection attempt to TCP 10.20.30.40:2074 from 130.184.92.77:3006 Apr 13 03:10:41 planb /kernel: Connection attempt to TCP 10.20.30.40:2102 from 130.184.92.77:3009 Apr 13 03:10:43 planb /kernel: Connection attempt to TCP 10.20.30.40:2210 from 130.184.92.77:3012 Apr 13 03:10:44 planb /kernel: Connection attempt to TCP 10.20.30.40:2232 from 130.184.92.77:3015 Apr 13 03:10:45 planb /kernel: Connection attempt to TCP 10.20.30.40:2206 from 130.184.92.77:3018 Apr 13 03:10:46 planb /kernel: Connection attempt to TCP 10.20.30.40:2235 from 130.184.92.77:3021 Apr 13 03:10:47 planb /kernel: Connection attempt to TCP 10.20.30.40:2053 from 130.184.92.77:3024

50 The Server Side: knockd The server has reassembled the knock sequence created by the client. First, it must subtract our port offset from each knock...

51 The Server Side: knockd The server has reassembled the knock sequence created by the client. First, it must subtract our port offset from each knock...

52 The Server Side: knockd The server has reassembled the knock sequence created by the client. First, it must subtract our port offset from each knock...

53 The Server Side: knockd The original values are then converted into their corresponding characters...

54 The Server Side: knockd The original values are then converted into their corresponding characters...

55 The Server Side: knockd The original values are then converted into their corresponding characters...

56 The Server Side: knockd We now have the character string that resulted from the encryption done by the client side.

57 The Server Side: knockd Using the password that the server is initialized with, we can decrypt this string to obtain the original character string.

58 The Server Side: knockd Using the password that the server is initialized with, we can decrypt this string to obtain the original character string.

59 The Server Side: knockd Using the password that the server is initialized with, we can decrypt this string to obtain the original character string.

60 The Server Side: knockd With this original string, we can then convert each character to its corresponding integer value.

61 The Server Side: knockd With this original string, we can then convert each character to its corresponding integer value.

62 The Server Side: knockd With this original string, we can then convert each character to its corresponding integer value.

63 The Server Side: knockd We have now successfully decrypted the information stored in a sequence of connection attempts, and are left with the data input by the user on the client side.

64 The Server Side: knockd The server then uses this information to modify the firewall...

65 The Server Side: knockd The server then uses this information to modify the firewall... Open

66 The Server Side: knockd The server then uses this information to modify the firewall... Open

67 The Server Side: knockd The server then uses this information to modify the firewall... Open port 22

68 The Server Side: knockd The server then uses this information to modify the firewall... Open port 22

69 The Server Side: knockd The server then uses this information to modify the firewall... Open port 22 to IP 130.184.92.77

70 The Server Side: knockd The server then uses this information to modify the firewall... Open port 22 to IP 130.184.92.77

71 The Server Side: knockd The server then frees all memory allocated to this particular knock sequence, and returns to its task of monitoring the log file for changes.

72 Final Thoughts

73 “Security through obscurity” “Security through obscurity”

74 Final Thoughts “Security through obscurity” “Security through obscurity” Replay attacks Replay attacks

75 Final Thoughts “Security through obscurity” “Security through obscurity” Replay attacks Replay attacks Denial of Service attacks Denial of Service attacks

76 Final Thoughts “Security through obscurity” “Security through obscurity” Replay attacks Replay attacks Denial of Service attacks Denial of Service attacks Log file pollution Log file pollution

77 Final Thoughts “Security through obscurity” “Security through obscurity” Replay attacks Replay attacks Denial of Service attacks Denial of Service attacks Log file pollution Log file pollution Allowing indirect access Allowing indirect access

78 Final Thoughts “Security through obscurity” “Security through obscurity” Replay attacks Replay attacks Denial of Service attacks Denial of Service attacks Log file pollution Log file pollution Allowing indirect access Allowing indirect access Extended functionality, not just firewall manipulation Extended functionality, not just firewall manipulation

79 Final Thoughts “Clean byte” “Clean byte”

80 Final Thoughts “Clean byte” “Clean byte” Open source software Open source software

81

Download ppt "Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Web Server Administration Chapter 10 Securing the Web Environment.

Web Server Administration Chapter 10 Securing the Web Environment.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Similar presentations

Ads by Google