Results 1 to 2 of 2

Thread: Looking for a Port Knocker alternative

  1. #1
    Senior Member
    Join Date
    Apr 2003
    Posts
    147

    Looking for a Port Knocker alternative

    Port knocking (PortKnocking.com ) is a good idea and all, I just believe it's overly complicated. The basic point is to only give away that your even running a service after authentication has taken place. Just replace the common accepted request, a SYN packet, with full authentication details. Before the sevice availability has even been confirmed. Has anyone here come accross something like this outside of rootkits?

    I'd rather not have to extract it or write my own, raw sockets and/or libpcap is such a bother Besides all I want to do with it is play with it like I do everything else. It's just another layer in the attempt to pull no punches against a would be attacker.

    More depth is always good.

    I'll be honest with you all, a good while back I read Syngress's great book Stealing the Network: How to own the Continent.. Sendai's 'Shrax' root kit from chapter 6 by Fydor of Nmap fame is most inspiring. That part of the story is available for free direct from Fydor: at insecure.org if you haven't seen it. Chapter 13's also available from Syngress(Sample - Chapter13 ) in case you like more random hacker stories check the other book out too if you like. The stealth communication and control is my focus.

    The HoneyNet Project does have some of the more interesting tidbits of this approach included in their Sebek tool. It's basically a heavily modified version of a common rootkit. It includes all sorts of crazy stuff on top of taking control of the most basic functions of the networking stack, hooking the read call. It doesn't so mutch perform the function being disscussed though.


    Thanks in advanced for any suggestions you can make,

    Jon.

  2. #2
    Junior Member
    Join Date
    Aug 2005
    Posts
    7
    Heya jon,

    just in case you didnt find anything yet, here are 2 sources for a port knocking daemon : fk

    http://www.cipherdyne.org/fwknop/ -> pretty good analysis of packet : port knocking + os fingerprinting.

    http://directory.fsf.org/security/auth/pasmal.html -> port knocking + encryption and various features

    the main problem with thoses softwares is that on a very active server, checking up raw sockets, sniffing around eth is slowing down things.... so before the port knocking server mostly there are load checker (to see if the box is not dosing itself mainly...), or other kind of authentifications. It can be a plus to enhance your security (by hiding your daemons) - The main stuff against this is replay attacks (sniffing the port knocking sequence, replaying it...) - but with encryption or os fingerprinting, it makes things very hard to replay - and again the second and real problem is that on a production highly hitted/loaded server, the port knocking daemons kind of slow down things...

    deepmega

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •