Lets look at the issues.
You rely on obscurity in a manner that changes flags in IP and makes the
packets stand out. Most IDS's will alert to this, many routers will. A TCPdump
filter for unusual flags and IP ID's is common in many ISP's. So we have a
security mechanism that is advertising itself but relies on secrecy. Paradox
and inconsistency No. 1.
The IP ID field is 16 bits. With a 4 packet knock we have a functional
equivalent of a 3 character all symbol or 4 character alpha numeric password. I
do not believe that this was ever considered secure.
IP ID fingerprinting will make the flag stand out. Without the SPA encryption
mechanisms it is a simple capture (or sniffing). Using SPA (not Port knocking)
you can sniff packets and capture for analysis. The “encryption” can be
silently cracked in seconds (it is functionally equivalent to 13 bit DES) in
microseconds given any modern PC.
Please explain how this is more than a script kiddie toy and a security boon?
As Brent stated, why not deploy a REAL crypto solution. It is 1. Easier. 2.
Supported and 3 More secure (i.e. 128 or 256 bit keys take a LONG time to
break).
Regards,
Dr Craig Wright (GSE-Compliance)
PS Happy New Year
Craig Wright
Manager of Information Systems
Direct : +61 2 9286 5497
Craig.Wright@bdo.com.au
+61 417 683 914
BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
The information in this email and any attachments is confidential. If you are
not the named addressee you must not read, print, copy, distribute, or use in
any way this transmission or any information it contains. If you have received
this message in error, please notify the sender by return email, destroy all
copies and delete it from your system.
Any views expressed in this message are those of the individual sender and not
necessarily endorsed by BDO Kendalls. You may not rely on this message as
advice unless subsequently confirmed by fax or letter signed by a Partner or
Director of BDO Kendalls. It is your responsibility to scan this communication
and any files attached for computer viruses and other defects. BDO Kendalls
does not accept liability for any loss or damage however caused which may
result from this communication or any files attached. A full version of the
BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO
Kendalls website at http://www.bdo.com.au or by emailing
administrator@bdo.com.au.
BDO Kendalls is a national association of separate partnerships and entities.
________________________________________
From: listbounce@securityfocus.com [listbounce@securityfocus.com] On Behalf Of
Ansgar -59cobalt- Wiechers [bugtraq@planetcobalt.net]
Sent: Tuesday, 1 January 2008 7:50 AM
To: security-basics@securityfocus.com
Subject: Re: Port-Knocking vulnerabilities?
On 2007-12-31 Robert Inder wrote:
On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net> wrote:
On 2007-12-28 Jay wrote:
Portknocking is a security mechanism as it is a type of
authentication. "Something you know" in this case the sequence of
ports to knock before a unstarted service or daemon begins listening
for connections.
Since everything is transmitted in the clear port-knocking is as much
of a security mechanism as cleartext passwords. Technically: maybe
(depending on your definition). Realistically: no.
I think your dismissal of port knocking (and, indeed, plain text
passwords) is unrealistic.
If you can intercept my interaction with some remote server, you can
steal the relevant secrets (the password or the sequence of ports).
But isn't that quite a substantial "if"?
The substantial "if" is the question if intercepting the transmission
will allow an attacker to learn the secret without having to compromise
either the sender or the receiver of the communication. If an attacker
can do that, then the authentication mechanism is insecure and thus mere
obscurity. Period.
How are you going to do it? Aren't you going to have to compromise
some other machine, either where I am, or where the server is (or, I
guess, where the relevant DNS records are), and then plant software to
deliberately wait and watch until a relevant interaction takes place?
http://ettercap.sourceforge.net/
There are other attack vectors as well.
I'm not saying that's impossible. But it would take considerable
knowledge, planning and effort.
Why doesn't that make it a substantial defence against most kinds of
casual attack?
Because "substantial" is the opposite of "casual". A measure that won't
also stop a determined attacker is just obscurity, not security.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
