Port Knocking
Understanding what it is.
What is Port knocking?
Port knocking is a clever way to obscure the services and ports of a system. The very foundation of this technique took place on the fact that only open ports can cause security problems. So, this technique makes sure that none of the port is open initially. Now, one would ask, if there are no ports open then how would communication take place? Well, the answer lies in the capability to secretly knock a combination of fixed ports.
For example, if I want to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 until it detects connection attempts to closed ports 1024, 3302, 31337 in that sequence within 5 seconds, then listens on port 22 for a SSH connection within 10 seconds. This is method on implementing port knocking.
Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system. Since port knocking is by definition stateful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. The average case scenario requires approximately 141 trillion (655353 / 2) packets to determine a correct three-port number.
Port knocking is usually implemented by configuring a daemon to watch the firewall log file for connection attempts to certain points, and then to modify the firewall configuration accordingly. It can also be performed on the kernel level or by a userspace process.
Is this an invincible technique?
- Port knocking is a protection technique that can be used as an extra layer of security over the existing defense systems but not as a standalone security feature.
- This system is vulnerable to a trivial replay attack.
Network security professionals have largely ignored port knocking as a solution in the past since early implementations relied solely on providing the correct port combinations to achieve access.
Modern port knock systems incorporate features such as secure cryptographic hashes, blacklists, whitelists and dynamic attack responses to further increase system capability.
Properly implemented port knocking does not lower the security of a system. In fact it is an effective measure for both raising the bar for adversaries without any new resources as well as increasing the availability of the public facing systems.
Advantages and Disadvantages of Port Knocking
Pros:
- A simple and clever technique to secure a computer system.
- Can easily be ported to existing applications as not much changes are required.
Cons:
- Cannot be used as a standalone security mechanism.
- A small glitch in this security mechanism can cut off entire system from all it’s clients as ports would always never get opened.
Port knocking can also be used in offense:
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. [1]
cd00r used a secret knock over IP communication.
I would really appreciate your feedback and support on the content, please let me know it by sharing or commenting or clapping.
