Re: Port-Knocking vulnerabilities?

On 2007-12-31 Robert Inder wrote:
On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq@xxxxxxxxxxxxxxxx> wrote:
On 2007-12-28 Jay wrote:
Portknocking is a security mechanism as it is a type of
authentication. "Something you know" in this case the sequence of
ports to knock before a unstarted service or daemon begins listening
for connections.

Since everything is transmitted in the clear port-knocking is as much
of a security mechanism as cleartext passwords. Technically: maybe
(depending on your definition). Realistically: no.

I think your dismissal of port knocking (and, indeed, plain text
passwords) is unrealistic.

If you can intercept my interaction with some remote server, you can
steal the relevant secrets (the password or the sequence of ports).

But isn't that quite a substantial "if"?

The substantial "if" is the question if intercepting the transmission
will allow an attacker to learn the secret without having to compromise
either the sender or the receiver of the communication. If an attacker
can do that, then the authentication mechanism is insecure and thus mere
obscurity. Period.

How are you going to do it? Aren't you going to have to compromise
some other machine, either where I am, or where the server is (or, I
guess, where the relevant DNS records are), and then plant software to
deliberately wait and watch until a relevant interaction takes place?

http://ettercap.sourceforge.net/

There are other attack vectors as well.

I'm not saying that's impossible. But it would take considerable
knowledge, planning and effort.

Why doesn't that make it a substantial defence against most kinds of
casual attack?

Because "substantial" is the opposite of "casual". A measure that won't
also stop a determined attacker is just obscurity, not security.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Relevant Pages

  • Re: Port-Knocking vulnerabilities?
    ... Portknocking is a security mechanism as it is a type of authentication. ... "Something you know" in this case the sequence of ports to knock before a unstarted service or daemon begins listening for connections. ... what an attacker ...
    (Security-Basics)
  • Re: [Full-disclosure] DNS spoofing issue. Thoughts on potential exploits
    ... Using a dedicated nameserver for SMTP leaves the system susceptible to ... use random source ports, both the firewall between the internal LAN and DMZ ... the attacker must get access to the LAN or in case to ...
    (Full-Disclosure)
  • Re: Signatures and encryption headers
    ... breached when an attacker can modify the message received? ... But I see how the lack of authentication can cause the receiver to act ... not for the iv or other encryption ... A create a payload, S signs it with public key crypto (most likely ...
    (sci.crypt)
  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... one thing that would definitely help are tighter firewall rules ... Since then, I have blocked the common IRC ports, and the firewall was ... >to the attacker or some IRC channel ... Apache needs to open the outbound to ...
    (Incidents)
  • Re: BEFVP41 -2003 SBS Help Please
    ... > Couple of things to keep in mind about exposed ports, VPN, and security ... > only get to talk to the authentication code. ... it requires monitoring the use of any open ports. ... > + Monitor exposed authentication ports and processes, ...
    (microsoft.public.windows.server.sbs)