port knocking (x2)

[xiphias360]

So I was bored the other day and stumbled upon a link to shimmer, can't remember how i found my way there but i started reading it and it was pretty interesting. check the link here for a quick run down: http://shimmer.sourceforge.net/

Up to speed now? Okay good. So I'm wondering, has anyone here actually implemented a port knocking program (with a purpose, not just for SnG's)? If so, how would you size it up to an off-shoot like shimmer? Both implementations would have their pros and cons, but in the end i would personally opt for port knocking.

IMO, shimmer is nice in that it holds almost 50 open ports with 16 active and rotating every minute. You're hiding your protected service in a haystack, so to speak. While it's a small haystack, you can still feel good about it because if someone tries to connect to the wrong service they're blacklisted for 15 minutes that slides with every attempt. Assuming a person guessed wrong only once, the set of ports would have shifted 15 times by the time he's unblocked and he's staring at a fresh challenge.

BUT, from what I understand, in the 1 in 48 chance that someone guesses right, there's no authorizing sequence. It's just a dice roll and if they land on the right number they got a minute to get in. It's a small window, but a window none the less.

Now, this is decent security for hiding a service but at the same time it's like having a vault in plain site with a huge sign hanging from it that reads "HEY!! I'M HIDING SOMETHING IN HERE!! COME POKE ME WITH A STICK!!!!" Curious hackers are always drawn to the red button.

Then, you have something like port knocking which let's you talk to closed ports by sending an auth sequence or payload to one or several ports to which the sender would recieve no response for anything sent, and if the sequence is correct the hidden service is opened. Now if a person scanned a machine that had a port knocking program and saw closed ports instead of 48 open ones in the 10000-10999 range, they may be inclined to believe there's nothing there and just move on. However, if they knew for a fact there was a port knocking program installed, I assume they could brute force it all they wanted.

What are your thoughts/views? Which would you choose?

[treanglin]

Thanks for bringing this up. I just learned about this after you mentioned it (thanks Google) I'm not quite sure which implementation I'd use though.

I don't really understand the cons and pros of each system but I'm leaning toward the portknocking system though because It just seems cooler to me. The main problem I think I see with that one though is that if an attacker Is sniffing traffic between the client and the server and notices that before accessing port 22 the client sent some funky packets to ports X,Y,Z and in that order then that may look very interesting to him. I'm still not decided though, this is really cool **** though, I'm going to look into it more tonight when I get home.

[xiphias360]

I might install shimmer and watch the wire to see what happens there also, just cuz im curious. The way shimmer is invoked, im sure someone sniffing traffic would pick up on how they are connecting also...

[treanglin]

I might install shimmer and watch the wire to see what happens there also, just cuz im curious. The way shimmer is invoked, im sure someone sniffing traffic would pick up on how they are connecting also...

The thing with shimmer though is that after the person discovers how the connection is made they also have the task of decrypting the "handshake" or whatever...I think. And then by the time that is done the ports have switched. but I think that if the attacker can discover the shared secret and has the same time as the server and host, then he or she can figure out where the next port is open? I'm not sure though, amirite?

[xiphias360]

well the ports are supposed to be random but as we all know things are usually only random to a certain extent. if i can find the time im definately going to play with this, lol...