Penetration Testing
an anternative to port-knoking using the OpenBSD pf only Jan 23 2006 09:44PM
poplix (poplix papuasia org) (2 replies)
Hi there,

I wish to propose an alternative to port knoking that uses the native
OpenBSD's pf code only. The idea is to use the pf's passive os
fingerprinter to authenticate initial SYN packets.
With a tool (or kernel patch) able to rewrite packets header is possible
to use a specific sequence of header fields as a key to validate

Rewriting tcp/ip headers can be useful to change the non standard tcp/ip
stack behavior in order to spoof your os to programs that perform
of the headers values to identify oss. This well known method to
passively fingerprint oss is based on the analisys of those tcp/ip
fields that are vendor specific such as tcp options, window size,
ttl, ecc.
There are several programs out there that implements this tecnique:
p0f, ettercap, OpenBSD pf, ecc but deciveing this kind of programs can
result in waste of time. In fact it's well known that packets header
can be
easily forged or manipulated so os fingerprinting (ospf) is used for
statistics, performance improvements or similar only.
But this is not the point: is possible to use osfp spoof in
conjunction with
OBSD pf as an alternative to port knoking. Port knoking is useful to
increase stealthness of the internet servers, but it requires additional
software to run on those systems increasing security risks. Using ospf
spoof is possible to have stealthness using the native OBSD kernel code
As mentioned above OpenBSD pf has a builtin passive os fingerprinter
that can be used in pf rules, an example can be:

pass in proto tcp from any os "Windows 2000"

This rule allows packets from any Windows 2000 machine.
With this feature is possible to block all incoming packets except those
that come from a specific operating system.

The idea is to use os fingerprints as a key. An user can invent a
sequence of header values that will identify his fake os, add it to
fingerprints database and use it in the firewall.
The result is an OBSD machine that is totally stealth to port scans but
the owner can log into it using his specific set of header values.

I've tested this tecnique with a tool I'm writing that is capable of
rewriting outgoing (and incoming) packets, but maybe fragroute with some
modifications can do the same.

The Test:
I've a linux box capable of setting arbitrary header values (using
tripp) so I choosed a set of tcp/ip headers fields that are not
in osfp database and then I added this sequence naming it "poplix".

I added the invented os fingerprint to pf os databese by inserting
this line to /etc/pf.os (my os fingerprints database)

8192:128:0:60:M3884,N,W0,N,N,T:poplix:::poplix fi

Now I can configure pf with the following ruleset:

block in on rl0 all
pass in from any os poplix keep state

This new os fingerprint entry will identify
my packets and allow them to pass through firewall.

Linux client runs tripp with the following rule:

OUT (tcp.flags='syn')

This rule tells tripp to rewrite all outgoing tcp packets with the
flag set only allowing my first handshake packet to match "poplix"


root@sd:# ssh -l poplix
ssh: connect to host port 22: Connection timed out

root@sd:~# tripp -o eth0 -f rules -g -S &
rewriter for outgoing traffic started

root@sd:~# ssh -l poplix
poplix (at) papuasia (dot) org [email concealed]'s password: **********
poplix (at) papuasia (dot) org [email concealed]:~$

Note that is also possible to kill tripp after the connection
is estabilished (in this case on password request).

Notes on tripp:
Please note that tripp is in a very embrional state: ip options are
not processed, not all tcp options are supported, most icmp types
are dropped (echo request end echo reply only pass through tripp),
tripp works on ethernet only and it has been tested on linux only.
For more info visit

I hope that someone can find it useful,

Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

[ reply ]
Re: an anternative to port-knoking using the OpenBSD pf only Feb 17 2006 08:52AM
gimeshell web de (1 replies)
Re: an anternative to port-knoking using the OpenBSD pf only Feb 20 2006 09:58PM
poplix (poplix papuasia org) (1 replies)
Re: an anternative to port-knoking using the OpenBSD pf only Feb 22 2006 10:00AM
Pete Herzog (lists isecom org) (1 replies)
Re: an anternative to port-knoking using the OpenBSD pf only Feb 27 2006 11:09PM
poplix (poplix papuasia org) (1 replies)
Re: an anternative to port-knoking using the OpenBSD pf only Jan 24 2006 09:56AM
Joachim Schipper (j schipper math uu nl) (1 replies)


Privacy Statement
Copyright 2010, SecurityFocus