Security Basics
Re: Port-Knocking vulnerabilities? Dec 28 2007 07:07PM
Jay (jay tomas infosecguru com) (1 replies)
Re: Port-Knocking vulnerabilities? Dec 29 2007 01:28PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: Port-Knocking vulnerabilities? Dec 31 2007 06:27PM
Robert Inder (robertinder googlemail com) (2 replies)
Re: Port-Knocking vulnerabilities? Dec 31 2007 08:50PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
RE: Port-Knocking vulnerabilities? Dec 31 2007 09:46PM
Craig Wright (Craig Wright bdo com au) (1 replies)
RE: Port-Knocking vulnerabilities? Jan 01 2008 01:01PM
Bill Lavalette (blavalet homenet-security com)

I think Brent was right in saying get a real Firewall/VPN installed. I
believe the original thread on this was that there was a weird ssh mech that
the user found and was wondering why. We have swayed way past the advice
point on this thread IMHO. It appears that the company in question is using
a practice that was acceptable in the mid 90's If this is a risk that the
business owners are willing to accept then there is nothing this list is
going to gain or achieve by getting emotional about it. The best advice we
can give this person is to advise the business owners that they are in dire
need of a security overhaul and move forward. Heck I remember when port
sentry was the hot ticket. I must say thought I think Craig in another
thread mentioned gains and losses, From a business perspective He is right
and some of you may interpret his words differently, Acceptable Risk is
another way we understand this.

Have a Happy and Prosperous 2008 all

Bill

====== HomeNet Security ===========
Bill Lavalette
Network Security Officer
CCSA-CCSE
Crisis Mitigator
ID Theft Prevention Mentor
WWW http://www.homenet-security.com
====================================
Defending The Home LAN

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Craig Wright
Sent: Monday, December 31, 2007 4:46 PM
To: Ansgar -59cobalt- Wiechers; security-basics (at) securityfocus (dot) com [email concealed]
Cc: lbhlists (at) gmail (dot) com [email concealed]; dave (at) davekleiman (dot) com [email concealed]
Subject: RE: Port-Knocking vulnerabilities?

Lets look at the issues.

You rely on obscurity in a manner that changes flags in IP and makes the
packets stand out. Most IDS's will alert to this, many routers will. A
TCPdump filter for unusual flags and IP ID's is common in many ISP's. So we
have a security mechanism that is advertising itself but relies on secrecy.
Paradox and inconsistency No. 1.

The IP ID field is 16 bits. With a 4 packet knock we have a functional
equivalent of a 3 character all symbol or 4 character alpha numeric
password. I do not believe that this was ever considered secure.

IP ID fingerprinting will make the flag stand out. Without the SPA
encryption mechanisms it is a simple capture (or sniffing). Using SPA (not
Port knocking) you can sniff packets and capture for analysis. The
"encryption" can be silently cracked in seconds (it is functionally
equivalent to 13 bit DES) in microseconds given any modern PC.

Please explain how this is more than a script kiddie toy and a security
boon?

As Brent stated, why not deploy a REAL crypto solution. It is 1. Easier. 2.
Supported and 3 More secure (i.e. 128 or 256 bit keys take a LONG time to
break).

Regards,
Dr Craig Wright (GSE-Compliance)
PS Happy New Year

Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright (at) bdo.com (dot) au [email concealed]
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax
+61 2 9993 9497 www.bdo.com.au

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you
are not the named addressee you must not read, print, copy, distribute, or
use in any way this transmission or any information it contains. If you
have received this message in error, please notify the sender by return
email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and
not necessarily endorsed by BDO Kendalls. You may not rely on this message
as advice unless subsequently confirmed by fax or letter signed by a Partner
or Director of BDO Kendalls. It is your responsibility to scan this
communication and any files attached for computer viruses and other defects.
BDO Kendalls does not accept liability for any loss or damage however caused
which may result from this communication or any files attached. A full
version of the BDO Kendalls disclaimer, and our Privacy statement, can be
found on the BDO Kendalls website at http://www.bdo.com.au or by emailing
administrator (at) bdo.com (dot) au. [email concealed]

BDO Kendalls is a national association of separate partnerships and
entities.

________________________________________

From: listbounce (at) securityfocus (dot) com [email concealed] [listbounce (at) securityfocus (dot) com [email concealed]] On Behalf
Of Ansgar -59cobalt- Wiechers [bugtraq (at) planetcobalt (dot) net [email concealed]]
Sent: Tuesday, 1 January 2008 7:50 AM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: Port-Knocking vulnerabilities?

On 2007-12-31 Robert Inder wrote:
> On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq (at) planetcobalt (dot) net [email concealed]>
wrote:
>> On 2007-12-28 Jay wrote:
>>> Portknocking is a security mechanism as it is a type of
>>> authentication. "Something you know" in this case the sequence of
>>> ports to knock before a unstarted service or daemon begins listening
>>> for connections.
>>
>> Since everything is transmitted in the clear port-knocking is as much
>> of a security mechanism as cleartext passwords. Technically: maybe
>> (depending on your definition). Realistically: no.
>
> I think your dismissal of port knocking (and, indeed, plain text
> passwords) is unrealistic.
>
> If you can intercept my interaction with some remote server, you can
> steal the relevant secrets (the password or the sequence of ports).
>
> But isn't that quite a substantial "if"?

The substantial "if" is the question if intercepting the transmission will
allow an attacker to learn the secret without having to compromise either
the sender or the receiver of the communication. If an attacker can do that,
then the authentication mechanism is insecure and thus mere obscurity.
Period.

> How are you going to do it? Aren't you going to have to compromise
> some other machine, either where I am, or where the server is (or, I
> guess, where the relevant DNS records are), and then plant software to
> deliberately wait and watch until a relevant interaction takes place?

http://ettercap.sourceforge.net/

There are other attack vectors as well.

> I'm not saying that's impossible. But it would take considerable
> knowledge, planning and effort.
>
> Why doesn't that make it a substantial defence against most kinds of
> casual attack?

Because "substantial" is the opposite of "casual". A measure that won't also
stop a determined attacker is just obscurity, not security.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches becoming
available."
--Jason Coombs on Bugtraq
BEGIN:VCARD
VERSION:2.1
N:Lavalette;Bill
FN:Bill Lavalette
ORG:HomeNet Security;Security Operations
TITLE:Network Security Officer
TEL;WORK;VOICE:315-651-0103
ADR;WORK:;;28 mill st;waterloo;New York;13165;USA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:28 mill st=0D=0Awaterloo, New York 13165=0D=0AUSA
URL;WORK:http://www.homenet-security.com
EMAIL;PREF;INTERNET:blavalet (at) homenet-security (dot) com [email concealed]
REV:20071210T181249Z
END:VCARD
0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?n0?20? 0
 *?H?÷
0{1 0 UGB10U Greater Manchester10U Salford10U
Comodo CA Limited1!0U AAA Certificate Services0
040101000000Z
281231235959Z0{1 0 UGB10U Greater Manchester10U Salford10U
Comodo CA Limited1!0U AAA Certificate Services0?"0
 *?H?÷
?0?
?¾@ônáêv?MED?¾FÈ?Á*þ?äúó«]P?1 ?ÐÅp"ÍI-Tc̶nhF SêËL$À¼rNêñ®ô
T?
Ãz²3`âÚ?Uó"XóÞÜÏï??¢??O?hò?F?'Çv¿ãÌ5,?^de?ÀH°¨?ùa?v P¨?ÇfµëxbVð?ê1£ ?ý8öö'2Xoõk¸û+¯·ªÌÖc_s?Ú?¨8¨Ëx6Q¬é?ôx:ÏÙBâ? «/?Þï??Iñ-߬tM?µGÅå)ÑùÇb?¾?Ç&{>?%ÇÀݝæ5h ØÞÒÃ??
^è/É£À0½0U 
#>?ñìâ¯)ï?¥Ð0¤´0Uÿ0Uÿ0ÿ0{Ut0r08 6 4?2htt
p://crl.comodoca.com/AAACertificateServices.crl06 4 2?0http://crl.comodo
.net/AAACertificateServices.crl0
 *?H?÷
?Vüð?èÿ¤úÖ{ÆD?ÎOÄÅöX̦¶¼Ihvèæî]ì`֍PO&Nã氥tTA¿ýü¸ÇOZ
ô?``·Jóöñ¿Ĺt?¶-}kÌÒóFÝ/ÆàjÃÃ4,}?ÝZ§
?Á?« /ó\:Ïl7U ?ÞS@lXïü¶«enöÜ<àZÆ?ÙñYH0!elìé!sì?¡à7­ úºΧ,©,Ôå&«"?`ø^tÔ¢?S
½ò©hà¢nÂ×l±£?¿ëhçVò®òã+8: µk?×¾-í?·²câõb,?ÔjAPñ9???é6??n0?Ý0?Å q?ûæ_¬M?tq4¢§0
 *?H?÷
0{1 0 UGB10U Greater Manchester10U Salford10U
Comodo CA Limited1!0U AAA Certificate Services0
040101000000Z
281231235959Z0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email0?"0
 *?H?÷
?0?
?²9?¤ò}«A;bF7®ÍÁ`u¼9eùJG¢¹ÌHÌj?ÕM5¹¤BåÎIâ?/|Ò1ÇN´?d.)Õ¢dÄ?½?Q5y¤
Nh{z¤?¨ò?ò?Ìɤ2?» O0½?  ?ån¢Fúx¼¢o«Y^¥/ÏÊÚmª/묡³jª·.g5?yái?âæFÍ ¥ê¾ Îv:z?êüÚ'[=s"æHaÆ
Lói±¨.¶Ô1 ,¼???¤¥×?CüZ¯q×YÚº?
¯úóáÂð¤Åg?ÖÖT:Þ
¤ºw³eÈýÓtbªÊh?¡?~õGeËøMW(tÒ4ÿ0¶îöb0?,ë£?'0?#0U#0? 
#>?ñìâ¯)ï?¥Ð0¤´0U??g}ĝ&pK´PH|Þ=®n}0Uÿ0U
ÿ0ÿ0U%0++0U 
00U 0{Ut0r08 6 4?2http://crl.comodoca.com/AAACertificateServices.crl06 
4 2?0http://crl.comodo.net/AAACertificateServices.crl0 `?H?øB0
 *?H?÷
??Ë<¸~¥ Ä¿ ÂÇv?9<?ƪO Éà«?]?Tàe;óm|7,%T_?!ü7??ÜOÏTklE`Ç-ù?QLùfÊ< ??¦ÈðâéÔJùì?VÉÝv?Ã?Oló
atG©Æ@W?¼e"Å'gOWÛdZٍº?/ô®?iíéôÏ)ØàJ? /?LQ»FÄ?7N ã 1hÇ?Ä?è~¼2h??DØ*Q`M?ët:ßC2È9V?:RÓA¤Côíï3'Û9àN&ÉØõ9â?¸?]·)&Aê³?®?
üwuÊèʵþâeJc>DÄÐÃ^?s©?¯0?S0?; ¿»»?bW Ö`n§J?g 0
 *?H?÷
0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email0
071219000000Z
081218235959Z0ç1503U ,Comodo Trust Network - PERSONA NOT VALIDATED1F0DU =Terms and Conditions of use: http://www.comodo.net/repository10U (c)2003 Comodo Limited10UBill Lavalette1,0* *?H?÷
 blavalet (at) homenet-security (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?±6v¶óÜÍ? ëøü¾?b£??#íN¶À¶?÷µ1ÉÞ¾d?@X¼?CA?úѸc??eB¥??Í¡å,ó®ª0rö?í'ªÙÁSrßB£~
ηû¹*` )ýµ¡?=??b+Õ¸ÎäÞÇ÷áÍÜÄÝà9?É}?Æ1îê^¨¦m?Æ9"w?Å=®êB¢Iü ô§p0wlcµå:?®è0
$@°yb§¯îsnf??0ñ?ÊAm°<ð6Ýñʲ?q´ØrØb¼¥?m{Ì?¤?zé«9?-?SãACâá8¸
ï¯$7J$~?iM£|iį*´ó?£?/0?+0U#0???g}ĝ&pK´PH|Þ=®n}0U
:Ð_êaâ²??JÆ|?¶0Uÿ 0 Uÿ00 U%0+ +²10 `?H?øB 0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0¥U0?0
L J H?Fhttp://crl.comodoca.com/UTN-USERFirst-ClientAuthenticationandEmai
l.crl0J H F?Dhttp://crl.comodo.net/UTN-USERFirst-ClientAuthenticationand
Email.crl0|+p0n06+0?*http://crt.comodoca.com/UTNAAACli
entCA.crt04+0?(http://crt.comodo.net/UTNAAAClientCA.crt0(U!
0blavalet (at) homenet-security (dot) com0 [email concealed]
 *?H?÷
?pÿ6ÓéÈ?ø?q)#Þ?nÒþzá
Ç#? ?ÿº?Õ?_?3¢}cÚ(7?¹ù?À»?Ã+¯`"wtB}V1Rî?Zi<L'*Ù 5$þå ÉöÊþËé?a Sp?
???Û??Ìc­,Óþu£Sê?ä?¥Ó.îG6cU?"ÄEUØÙp:U°-5_ð»õôÝÄFo#ª nñ?«XÓ,?éÅ?¶»oÿ>
z?Â4¶»Òf¹íUس¦ń?)AìëÌâÂ$q÷"b?Æ\?¾??üpqï²<Yno¼/áåÀI^êOüTí?ì|W>LQ
¥ñqg4AÆ@y1?h0?d0Ä0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email¿»»?bW Ö`n§J?g 0 + ?x0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
080101130122Z0# *?H?÷
 1½xWÙ\ÑJ>8? Ր ?«o?°û0g *?H?÷
 1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0Õ +?71Ç0Ä0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email¿»»?bW Ö`n§J?g 0× *?H?÷
  1Ç Ä0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email¿»»?bW Ö`n§J?g 0
 *?H?÷
??û_2ÈjF
?û?AHs/xbݹ7°µÛō¹?ÜfÑwào,úBô·Þ9?? |pfÌvY9ø:?ò?¡\á0ïxÔ'9?}:ÕÄ0¯ü5- ?ôï?"®*1ÐTðn?? G«Û<tÏGÝ,??Oܲva;Q`@õq½ëÅV¸Ù½ïÃP#?õ?ad?%ÎÜ??
Ñý(íu?X.?ùÙ?+Ôö4Dì¼}ã²»®Vâ¿ñ´8Ú>s'`Z¬$^Ú±ÎÁJSü¶!&Mó9:×3'*¿ý'LǪ
m<Øvl÷?@P?ôY¡Éz÷ñÊ%: ?òÝ

[ reply ]
Re: Port-Knocking vulnerabilities? Dec 31 2007 07:40PM
Goldstein101 (goldstein101 gmail com) (1 replies)
RE: Port-Knocking vulnerabilities? Dec 31 2007 09:32PM
Craig Wright (Craig Wright bdo com au) (1 replies)
Re: Port-Knocking vulnerabilities? Jan 06 2008 04:12AM
Michael Rash (mbr cipherdyne org) (1 replies)
RE: Port-Knocking vulnerabilities? Jan 06 2008 04:49AM
Craig Wright (Craig Wright bdo com au) (1 replies)
Re: Port-Knocking vulnerabilities? Jan 06 2008 05:17AM
Michael Rash (mbr cipherdyne org) (1 replies)
RE: Port-Knocking vulnerabilities? Jan 21 2008 11:22AM
whip netspace net au (1 replies)
Re: Port-Knocking vulnerabilities? Jan 22 2008 12:26AM
Michael Rash (mbr cipherdyne org)


 

Privacy Statement
Copyright 2010, SecurityFocus