Closed Port Authentication with Port Knocking

Phil Lunsford, Evan C. Wright

East Carolina University, Greenville, NC

Abstract

Port knocking is a promising new technology to further secure remote services. This technology can be used to keep all TCP ports closed until a user has authenticated with a port knock sequence. During the port knock sequence all ports remain closed, thus rendering the server invisible to any malicious port scans. After a valid knock sequence has been verified by the system, a predetermined TCP or UDP port is opened allowing for a standard connection for a predefined service. This allows an extra layer of authentication at the transport layer without requiring changes to the application. A review of the current implementations is given.

Introduction

The addressing scheme for the TCP/IPv4 protocol allows for a unique 32-bit IP address for each computer. In addition to an IP address for a computer, 16-bit port numbers are used to establish logical connections for transmission of data. For a given packet being transmitted from a source to a destination, there is a total of two IP addresses, source and destination, and also two ports, source and destination. Most applications transmit data based on a client/server architecture. One machine is the server and the other is the client. When the client requests data from a server, the destination port number used in the requesting packet determines the service. For example, for a web browser running on a client computer to access a web page, a datagram with the destination of port 80 is sent to the server. The association of well known services to port numbers is maintained by IANA1. Each of the well known ports can be though of as a door, behind which a certain service resides. The two IP addresses and the two port numbers all together identify a socket, or an end-to-end logical communication link between two devices.

TCP sockets are established with a 3-way handshake as shown in figure 1. The client initiates the connection with a synchronize (SYN) packet. The server responds with a SYN-ACK packet that requests synchronization with the client, and also acknowledges (ACK) the initial SYN packet. The final part of the handshake is an ACK packet that the client sends to the server. This handshake provides a robust method to establish a socket but also allows anonymous information gathering. Programs such as NMAP2 send SYN packets and other packet types that normally initiate some sort of reply. These replies are analyzed to answer questions such as “Is the IP address valid with a device that is powered on?”, “What services are offered on the machine?”, and even “What operation system is running?”. This information can be gathered Page 10.309.1 automatically and can be used to plan a malicious attack or may automatically be used by malware to launch attempts at compromising identified machines. Server ports can be kept

Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education closed allowing responses denying a connection, or they can be configured to drop incoming packets, effectively not responding to any packet, often referred to as “stealth” mode. A server with all ports in stealth mode is invisible to malicious scans, but of course is not normally able to offer any services. Unfortunately, many operation system configuration defaults are set to have ports open. For instance in Microsoft Windows, the file sharing port is open by default. Network devices such as routers also often have ports open by default, aiding in the simplicity of creating a working configuration, but at the detriment of security.

Computer S Server YN - in itial req uest fro to m Clie Server nt se from respon -ACK t SYN to clien server ACK respon se from client server to

Figure 1. TCP Three-way Handshake

Port knocking is a technique suggested as early as February 20033 and has been well documented online by Krzywinski 4,5. This technique adds another layer of authentication and helps reduce the information available from malicious scans. A basic implementation of port knocking is shown in figure 2. All ports are initially in stealth mode. For a client to obtain a service, it first must send a predefined sequence of SYN or other predefined type packets to the server. The port numbers used and the order and time period that they are received determine if the knock sequence is valid. Sequences of packets that are received in the wrong order or contain the wrong port numbers will not be recognized as a valid knock sequence. Sequences that are not received within a predefined time interval will not be recognized. When a valid sequence is received, a predetermined port is opened and the client can then initiate a socket for that service. Since the knock sequence contains the source IP address (the IP address of the client), the server has the information available to open the port exclusively for only the knocking client. This technique allows for the server to normally remain in stealth mode, but still allow for trusted connections, effectively adding a layer of authentication to the system.

Page 10.309.2

Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education First Computer SYN - Knock: Server first req uest fro m Clie Server nt to

No response from server

Se cond K SYN - nock: reques S t from erver - Client differe to nt port

No response from server

Last Kn SYN - ock: reques S t from erver Client - differe to nt port

No response from server, but configuration on server changed to open predefined port to client

SYN - reques t from Server Client to ope to n port se from respon -ACK t SYN to clien server ACK respon se from client server to

Figure 2. Port Knock sequence followed by socket establishment with TCP Three-way Handshake

Page 10.309.3

Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education No. Ti me Source Desti nati on Prot ocol Info 1 0. 000000 192. 168. 1. 14 192. 168. 1. 3 TCP 32904 > 10000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 2 0. 000088 192. 168. 1. 14 192. 168. 1. 3 TCP 32905 > 11000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 3 0. 000213 192. 168. 1. 14 192. 168. 1. 3 TCP 32906 > 12000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 4 0. 000272 192. 168. 1. 14 192. 168. 1. 3 TCP 32907 > 11000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 5 0. 000372 192. 168. 1. 14 192. 168. 1. 3 TCP 32908 > 10000 [SYN]

Figure 3. Output from Ethereal Showing Port Knock Sequence.

The major flaw in basic port knocking is its susceptibility to a replay attack. This is attack consists of monitoring the server traffic, then resending that data from a malicious client at a later time. Since port knocks consist of a unicast port-opening attempt from one host to another, all of the information is readily available if the network traffic can be monitored. Figure 3 shows the output from Ethereal6 network protocol analyzer program from a capture during a port knock sequence. This clearly shows the port knock sequence to be 10000, 11000, 12000, 11000, 10000 and illustrates the vulnerability when the traffic to the server can be monitored. This illustrates a major obvious flaw in simple port knocking. It is vulnerable to replay attacks if the server is on the same LAN, or if the malicious user has administrator access to a computer or other network device that is connected to the LAN.

Implementations

Various implementations are available but most are for Linux/UNIX systems only. Programming languages used include C, C++, Perl, Java, BASH, and Python. Implementations and variations are being released very quickly. For a current summary of port knocking implementations, see Martin Krzywinski’s web site www.portknocking.org.

Released by Vinet7, the knockd daemon implementation for Linux/Unix systems provides a simple, easily configurable, port knocking scheme. This implementation, as most, relies on the iptables kernel function for packet filtering. Thus a software firewall is already implement on the system. A log of the connection attempts is monitored by the knockd daemon and the firewall rules are automatically changed when a valid knock sequence is detected. The knock sequence is defined in a file named knockd.conf located in the directory of compilation or in the /etc directory. This implementation currently suffers from the vulnerability to replay attacks. For basic implementations like knockd, we recommend a fairly long knock sequence of 20 or more knocks. Furthermore, the sequence should contain repeated ports multiple times. This will strengthen the resistance to a port scanning program accidentally opening a port with a valid knock sequence.

Strictly speaking, port knocking in its simplest form cannot be encrypted. The ports are contained within the TCP header which remains in clear-text form. Variations to port knocking Page 10.309.4 have been developed that move the authentication token from a sequence of knocks to a UDP

Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education packet payload. Some authors do not consider this true port knocking since there is no knock sequence, but the idea of keeping ports closed and selectively opening them only under certain conditions triggered by incoming packets is common to both methods. Both methods can be referred to as “IP over closed ports”. One such early implementation, cryptknock8, uses SSL type data exchange to prevent replay attacks, the main vulnerability to basic port knocking.

Cryptknock uses symmetric encryption with the RC4 Algorithm to encrypt a password. With symmetric encryption the only caveat is that the key must remain secret and be known to both the client and server. Diffie-Hellman key exchange is used to establish a session key that is then used to encrypt the secret password. Key to the implementation of cryptknock is the utilization of the LIBPCAP library to listen to all incoming packets regardless of header information such as destination port number. With this implementation of the LIBPCAP library, a packet can be inspected before the firewall rules are applied. UDP was chosen in lieu of TCP due to the connectionless and low overhead nature of UDP. Thus a three-way handshake is unnecessary in this implementation. Since cryptknock does not use a certificate authority to provide authentication information, the weaknesses9,10 of Diffie-Hellman key exchange without any a certificate authority apply to this technique.

CÖK: Cryptographic One Time Knocks released by David Worth11 in Java implements an additional layer of complexity by dynamically changing the authentication token by using one- time passwords to encrypt information in a UDP packet. Thus the payload or data from the UDP packet triggers a port to be opened, but the payload changes for each knock sequence using the well-known methods of S/Key (RFC 1670) or OTP (RFC 2289). Worth points out that replay attacks can be easily detected and action can be taken against the attacker if warranted.

Fwknop released by Michael Rash12 adds the use of OS detection or system fingerprinting13 so only a certain client operating system and version is allowed. Active OS detection is commonly used with network exploration tools such as NMAP and XPROBE2 to determine what operating system a computer is running. Fwknop uses passive OS fingerprinting which implies fingerprinting without necessarily sending extra probing packets. One part of an operating system that is commonly unique is the random number generator. The random number generator is normally used to create initial sequence numbers when first establishing a network connection. These random number generators of the operating systems also create other values and have noticeable patterns13. These patterns can be used to identify the operating system that is running on the client. Combining system fingerprinting with standard port knocking functions require an authenticating client to not only match a specific knock sequence but also a particular OS fingerprint.

In May of 2004 Cappella and Keong14 released a scheme to strengthen the resistance to replay attacks and man-in-the-middle attacks. In this scheme, the server maintains a list of username/password tuples. For a port to be opened, the following takes place in order: 1. The client creates a random port-knock sequence and encrypts it with the user’s password. This sequence includes not only predefined port numbers in a sequence, but also predefined 32–bit initial sequence numbers (ISN). This information along with the

username is sent in a UDP packet, P1, to the server. The username is in plain text, but the Page 10.309.5 rest of the information is encrypted.

Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education 2. The server decrypts P1 and waits for the client to send the port knock sequence. 3. The client sends the port knock sequence. 4. The client sends another encrypted UDP packet, P2, which requests the status of the port knock. 5. After receiving the port knock sequence and P2, the server opens a random port (for the client IP only) and uses port forwarding to provide the requested service. The server also sends an encrypted UDP packet, P3, that gives that client the port number. 6. The client receives and decrypts P3 and initiates the appropriate socket.

Note that port forwarding is different from port triggering. Port triggering is currently available on low-end NAT firewalls. In port triggering, a connection initiated from a client inside to an outside server will automatically cause connections from that outside server to be forwarded to initiating inside client. Port forwarding, on the other hand, is just the automatic translation of a port number to a different number as the packet passes through a given connection through a firewall or interface.

In order to resist replay attacks, a time stamp value is included in P1, P2, and P3. For any of these packets to be considered valid, the time stamp must be later than the last received packet from that client. Cappella and Keong’s first scheme has the disadvantage of being computationally resource intensive on the reception of the first packet. To try to protect against resource starvation attacks, incoming packets are vetted before being processed.

In June of 2004, Cappella and Keong released another port knocking scheme15 to strengthen the attack resistance. The May implementation had the limitation of sending the user name in clear text, of being somewhat susceptible to computation resource starvation attacks, of relying on the client random number generator, and of the weakness of the timestamp technique for preventing replay attacks. The new implementation requires that the client maintain a current one-time port/ISN knock sequence in addition to username/password tuple. The currently valid knock sequence can be encrypted on the client’s disk using the username/password hash. In this scheme, the following sequence takes place:

1. The client sends the current port/ISN knock sequence to the server. 2. Upon receipt of a valid knock sequence, the server opens a random port to the knocking client and forwards it appropriately. The server also sends a single encrypted UPD packet to the client that contains the port number to open and also a new port/ISN knock sequence to store and use for the next connection attempt.

Advantages

The main advantage of port knocking is the ability to hide a server from scanning. Port scanning is a powerful tool when used for malicious information gathering. The second advantage of port scanning is that it adds another form of authentication thus adding another layer of security to the network. Advanced port knocking techniques use encryption to provide for strong authentication if the client and server keep the username, password, and other parameters secure. The primary Page 10.309.6 use of port knocking is at a firewall, but sensitive servers within an enterprise can also be

Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education considered candidates to thwart malicious scanning and malicious connection attempts from a compromised machine behind the firewall.

Disadvantages

Port knocking adds yet another layer of complexity to the process of connecting to a server which can hinder troubleshooting of network problems. Additionally, clients need some way to implement the knock sequence. This can be as simple as using a standard telnet program, or it can be a separate dedicated program that must be maintained on the client. As with any authentication scheme, information (e.g. passwords, sequence numbers) must be kept secret for the system to be secure.

Since the server implementation allows for automatically changing firewall rules, care must be taken to use reliable, well tested, code. If a knock daemon fails, or doesn’t work correctly, the system could be unreachable or more easily compromised. Simple implementations of port knocking do not discriminate the client well if it is behind a NAT firewall. Implementations that use encryption can be more susceptible to compute resource starvation attacks.

Lastly, knock integrity can be compromised in a congested network environment. If the knock sequence leaves the client in proper order, but an intermediate packet is delayed resulting in an out-of-sequence arrival, then the server will read the knock as invalid. Sequences with large number of knocks can take up to a minute to execute16. Finally, as pointed out by Tony Bradley18, malware authors can use this technique to hide back doors inserted into compromised machines.

Conclusions

Port knocking and its variations seem to be a promising technology to add a layer of security to any networked system. The main advantage is the ability to provide services but reduce malicious information gathering capabilities. It also provides an added layer of authentication to a system without the need to modify the existing applications. Although in its infancy, the technology may quickly develop and be integrated into operating systems and network devices if standards can be developed and adopted by the security community.

BIBLIOGRAPHIC INFORMATION 1. http://www.iana.org/assignments/port-numbers 2. http://www.insecure.org/nmap/ 3. “Port Knocking for Added Security” February 5 2003. Slashdot.org., downloaded from http://slashdot.org/articles/04/02/05/1834228.shtml?tid=126&tid=172 4. Krzywinski, R. “Port Knocking: Network Authentication Across Closed Ports,” SysAdmin Magazine, vol. 12, June 2003, pp. 12-17. 5. http://www.portknocking.org/

6. http://www.ethereal.com/ Page 10.309.7 7. Vinet, J., “Knockd: A Simple Port-Knocking Daemon” May 07 2004, http://www.zeroflux.org/knock/ 8. Walko, J., “Cryptknock” Sourceforge, June 2004. downloaded from http://cryptknock.sourceforge.net/

Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education 9. Raymond, R. and Stilgnic, A., “Security Issues in the Diffie-Hellman Key Agreement Protocol”, IEEE Trans. On Information Theory, pages 1-17, 1998. 10. Bresson, E. Chevassur, O. Pointcheval, D. “The Group Diffie-Hellman Problems” , Workshop on Selected Areas in Cryptography 2002 (15-16 August 2002, St. John’s Newfoundland, Canada), H. Heys and K. Nyberg Eds. Springer-Verlag, LNCS 2595, pages 325-338. 11. Worth, D., “CÖK – Cryptographic One-Time Knocking”, Black Hat USA 2004. 12. Rash, M. “fwknop: the Firewall Knock Operator”, released at DEF CON 12, July 2004, Las Vegas, NV 13. Nazario, J., “Passive System Fingerprinting using Network Client Applications” CrimeLabs Research. January 2001, downloaded from http://www.crimelabs.net/docs/passive.pdf 14. Cappella and T.C. Keong, “Remote Server Management Using Dynamic Port Knocking and Forwarding”, Special Interest Group in Security and Information Integrity, May 2004 downloaded from http://www.security.org.sg/code/portknock1.html 15. Cappella and T.C. Keong, “Remote Server Management With One-Time Port Knocking (OTPK)”, Special Interest Group in Security and Information Integrity, June 2004, downloaded from http://www.security.org.sg/code/portknock2.html 16. Narayanan, A. “A critique of port knocking”, News Forge, August 2004, downloaded from http://software.newsforge.com/article.pl?sid=04/08/02/1954253 17. Graham-Cumming J, “Practical secure port knocking,” DR DOBBS JOURNAL, vol. 29, issue 11, November 2004, pp. 51-53 18. Bradley, T., “Port Knocking”, About.com, downloaded from http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm

BIOGRAPHICAL INFORMATION

Phil Lunsford received a B.S. in Electrical Engineering and a M.S. in Electrical Engineering from Georgia Institute of Technology and a Ph.D. in Electrical Engineering from North Carolina State University. He is a registered professional engineer and is currently an Assistant Professor at East Carolina University. His research interests include system simulation and network security.

Evan C. Wright, CCNP, CCNA, Security+, Network+, A+, has over 9 years experience dealing with IP based Computer Networks. Evan is currently the network administrator at ABCPhones of North Carolina, and a Senior at East Carolina University. Evan's areas of interest` include large-scale routing environments, migration to open source alternatives, and Information Security.

Page 10.309.8