mailing list archives
RE: Port-Knocking vulnerabilities?
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Tue, 1 Jan 2008 08:32:08 +1100
First, you have mentioned SPA, and true this offers more then port knocking, you have also mixed port knocking and SPA
up in a couple of your comments.
Now you make the comment that SPA can "encrypt" and store in the IP ID. IP ID is a 16 bit flag. That is there are a max
of 65535 values. Even with 4 IP packets it is functionally equivilant to a 3 character password. Given a standard ADSL
line and 68 byte packets I can send all combinations in just under 7.5 seconds (and this is not doing any analysis on
That is SPA and not port knocking. That is the MORE secure of the two options.
Yes this way will make a log entry, but are you sitting at the server 24x7 and monitoring ALL scans. Will you stop me
in less then 8 seconds?
When did people consider a 3 character password safe?
Dr Craig Wright (GSE-Compliance)
Manager of Information Systems
Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914
BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within
those States and Territories of Australia where such legislation exists.
The information in this email and any attachments is confidential. If you are not the named addressee you must not
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have
received this message in error, please notify the sender by return email, destroy all copies and delete it from your
Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au
BDO Kendalls is a national association of separate partnerships and entities.
From: listbounce () securityfocus com [listbounce () securityfocus com] On Behalf Of Goldstein101 [goldstein101 ()
Sent: Tuesday, 1 January 2008 6:40 AM
To: Robert Inder
Cc: Ansgar -59cobalt- Wiechers; security-basics () securityfocus com
Subject: Re: Port-Knocking vulnerabilities?
I guess most of you haven't bothered to check what port knocking
really is capable of 'cause I'm reading a lot of things that are not
First of all, Port Knocking is just another layer of security. Think
of it as the door of a room that contains a safe. You first have to
break the port knocking daemon and then the safe. Not that easy,
Second, Who said port knocking is like transmitting a password in
cleartext? Most modern PK systems are encryption based. An attacker
can sniff port numbers but packets usually contain other information
that is used for authentication.
For example I use Aldaba Knocking Suite (aldabaknocking.com) which
provides Port Knocking and Single Packet Authorization.
In Port knocking mode, basically the client sends this: [IP
Address][Port Number][Open/Close Flag][Checksum].
That information is encrypted and sent encoded in the IP-Id field of 4
TCP-SYN packets. This way you have 2 forms of authentication: The
first is simple: you need to know the exact port numbers to use when
sending those TCP-Syn Packets. Second: you need to know a secret (the
encryption key) used to encrypt the information. If you don't have it,
you can send random data but when decrypted, it won't verify the
However, Port Knocking has some disadvantages and vulnerabilities. A
better and more elegant approach is SPA. Check it out. There are some
papers out there.
On Dec 31, 2007 7:27 PM, Robert Inder <robertinder () googlemail com> wrote:
On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:
On 2007-12-28 Jay wrote:
Portknocking is a security mechanism as it is a type of
authentication. "Something you know" in this case the sequence of
ports to knock before a unstarted service or daemon begins listening
Since everything is transmitted in the clear port-knocking is as much of
a security mechanism as cleartext passwords. Technically: maybe
(depending on your definition). Realistically: no.
I think your dismissal of port knocking (and, indeed, plain text
passwords) is unrealistic.
If you can intercept my interaction with some remote server, you can
steal the relevant secrets (the password or the sequence of ports).
But isn't that quite a substantial "if"?
How are you going to do it? Aren't you going to have to compromise
some other machine, either where I am, or where the server is (or, I
guess, where the relevant DNS records are), and then plant software to
deliberately wait and watch until a relevant interaction takes place?
I'm not saying that's impossible. But it would take considerable
knowledge, planning and effort.
Why doesn't that make it a substantial defence against most kinds of
Robert Inder Interactive Information Ltd, Registered
07808 492 213 3, Lauriston Gardens, Company no. SC 150689
0131 229 1052 Edinburgh EH3 9HH
SCOTLAND UK Interactions speak
louder than words
Room 101, Ministry of Truth.
W2, London. Oceania.
RE: Port-Knocking vulnerabilities? Jay (Dec 31)
Re: Port-Knocking vulnerabilities? Jay (Dec 31)
- RE: Port-Knocking vulnerabilities?, (continued)