Port Knocking

[Libra Monkee]

Anybody know anything about it?


found internets

[complacent]

yup. it's cool enough I guess...

[schvin]

makes me cross. i guess the obfuscation and neat factors are high, but doesn't seem scalable or usable from an enterprise perspective, so that makes me cross. i seem to be getting crotchety in my old age.

[Sabre]

I used it a long time ago for a project I had. Feel free to ask questions

[Libra Monkee]

By knocking on certain sequence of closed firewall ports you could open a port for your connection. Does that sound right?

[avriette]

By knocking on certain sequence of closed firewall ports you could open a port for your connection. Does that sound right?

"open a port" is too specific. "information could be transmitted" is more appropriate. Consider the case of two prisoners communicating by tapping a mutual wall.

[complacent]

makes me cross. i guess the obfuscation and neat factors are high, but doesn't seem scalable or usable from an enterprise perspective, so that makes me cross. i seem to be getting crotchety in my old age.

wow, you might be a little crotchety...

I think it's "cool enough" for say a warez box or that one box that you keep some tools on.

But I agree, it would not be easily deployed amongst the enterprise.

[ElZorro]

Nothing says it couldn't be deployed across an enterprise - think of it like a key, with the ports being the tumblers. Hit the tumblers right and the lock opens. You can encode this into software (great in client server applications). The problem is it is near worthless against a replay attack - if someone can sniff the traffic between the just play the sequence back and get in. If approach the server without sniffing they won't be able to get in.

[complacent]

Nothing says it couldn't be deployed across an enterprise - think of it like a key, with the ports being the tumblers. Hit the tumblers right and the lock opens. You can encode this into software (great in client server applications). The problem is it is near worthless against a replay attack - if someone can sniff the traffic between the just play the sequence back and get in. If approach the server without sniffing they won't be able to get in.

Agreed, the obfuscation is out teh window when you start coding it into software...

If you look at it as a one trick pony that only "works" as a one trick pony, you start to get a better idea of how it can be implemented and still remain "cool".

[schvin]

yeah - agree with comments.

[Sabre]

The problem is it is near worthless against a replay attack - if someone can sniff the traffic between the just play the sequence back and get in. If approach the server without sniffing they won't be able to get in.

Ah, now that isn't true! Take your key analogy (which was great!) one step further. Knowing that you are on a computer, you can now establish a out-of-band sequence that the ports should be knocked on. There are 65536 ports available (technically), so if you have a function that generates the next sequence psuedo-randomly, it doesn't matter if you sniff the traffic of the previous connection sequence, as the next time it will be a different port combination. If you knock on 5 ports before the right one opens, you have a VERY small chance that you will ever guess the right sequence (think 1 in a billion). Now if you can find the sequence, you're in with no problem... but let's hope the person that designed the system did something better than cos(x)*100

[schvin]

that's a good point... it would be pretty swank as an OPIE transport.

[Sabre]

Now you're thinking in the right direction

[ElZorro]

so if you have a function that generates the next sequence psuedo-randomly, it doesn't matter if you sniff the traffic of the previous connection sequence, as the next time it will be a different port combination.

Excellent.