Security Basics
Re: Port-Knocking vulnerabilities? Dec 28 2007 07:07PM
Jay (jay tomas infosecguru com) (1 replies)
Re: Port-Knocking vulnerabilities? Dec 29 2007 01:28PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: Port-Knocking vulnerabilities? Dec 31 2007 06:27PM
Robert Inder (robertinder googlemail com) (2 replies)
Re: Port-Knocking vulnerabilities? Dec 31 2007 08:50PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
On 2007-12-31 Robert Inder wrote:
> On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq (at) planetcobalt (dot) net [email concealed]> wrote:
>> On 2007-12-28 Jay wrote:
>>> Portknocking is a security mechanism as it is a type of
>>> authentication. "Something you know" in this case the sequence of
>>> ports to knock before a unstarted service or daemon begins listening
>>> for connections.
>>
>> Since everything is transmitted in the clear port-knocking is as much
>> of a security mechanism as cleartext passwords. Technically: maybe
>> (depending on your definition). Realistically: no.
>
> I think your dismissal of port knocking (and, indeed, plain text
> passwords) is unrealistic.
>
> If you can intercept my interaction with some remote server, you can
> steal the relevant secrets (the password or the sequence of ports).
>
> But isn't that quite a substantial "if"?

The substantial "if" is the question if intercepting the transmission
will allow an attacker to learn the secret without having to compromise
either the sender or the receiver of the communication. If an attacker
can do that, then the authentication mechanism is insecure and thus mere
obscurity. Period.

> How are you going to do it? Aren't you going to have to compromise
> some other machine, either where I am, or where the server is (or, I
> guess, where the relevant DNS records are), and then plant software to
> deliberately wait and watch until a relevant interaction takes place?

http://ettercap.sourceforge.net/

There are other attack vectors as well.

> I'm not saying that's impossible. But it would take considerable
> knowledge, planning and effort.
>
> Why doesn't that make it a substantial defence against most kinds of
> casual attack?

Because "substantial" is the opposite of "casual". A measure that won't
also stop a determined attacker is just obscurity, not security.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]
RE: Port-Knocking vulnerabilities? Dec 31 2007 09:46PM
Craig Wright (Craig Wright bdo com au) (1 replies)
RE: Port-Knocking vulnerabilities? Jan 01 2008 01:01PM
Bill Lavalette (blavalet homenet-security com)
Re: Port-Knocking vulnerabilities? Dec 31 2007 07:40PM
Goldstein101 (goldstein101 gmail com) (1 replies)
RE: Port-Knocking vulnerabilities? Dec 31 2007 09:32PM
Craig Wright (Craig Wright bdo com au) (1 replies)
Re: Port-Knocking vulnerabilities? Jan 06 2008 04:12AM
Michael Rash (mbr cipherdyne org) (1 replies)
RE: Port-Knocking vulnerabilities? Jan 06 2008 04:49AM
Craig Wright (Craig Wright bdo com au) (1 replies)
Re: Port-Knocking vulnerabilities? Jan 06 2008 05:17AM
Michael Rash (mbr cipherdyne org) (1 replies)
RE: Port-Knocking vulnerabilities? Jan 21 2008 11:22AM
whip netspace net au (1 replies)
Re: Port-Knocking vulnerabilities? Jan 22 2008 12:26AM
Michael Rash (mbr cipherdyne org)


 

Privacy Statement
Copyright 2010, SecurityFocus