Transcript Cerberus

Introduction to Cerberus
Port Knocking with covert packets to
secretly open your firewall
Published: June 2004
Agenda









Introduction to Port Knocking
Isn’t Security through Obscurity Bad?
Traditional Port Knocking Tools
Problems with Port Knocking Tools
Introduction to Dana’s Version - Cerberus
Crafting Cerberus packets
Packet breakdown information
Things to Consider / Summary
Questions
Introduction to Port Knocking
Port knocking is a method by which a remote
computer (client) communicates with another
computer (server) across closed ports.
 Information is encoded in the sequence of ports
to which the client attempts to connect. The
information flows in one direction, from the client
to the server.
 The server does not send any response to the
client as receipt of the information.

Isn’t Security through Obscurity Bad?
Security implemented SOLELY through obscurity
is considered bad; using obscurity as another
line of defense is actually good.
 Reducing the perceived attack surface of a
system will typically cause most attackers to
move on to easier targets.
 Traditional port knocking isn’t really that
“obscure” anyways. Most analysis tools can pick
up common port patterns from common port
knocking software.

Traditional Port Knocking with TCP/IP





cd00r
http://www.phenoelit.de/stuff/cd00rdescr.html
Doorman
http://doorman.sourceforge.net/
knockd
http://www.zeroflux.org/knock/
SAdoor
http://cmn.listprojects.darklab.org/
toctoc
http://brahma.cpd.ufjf.br/~atrix/toctoc
Problems with Traditional Port Knocking




Once you know the secret knock, the port is opened; its quite
easy to sniff the wire to get the sequence. Furthermore, TCP
style knocking leaves a lot of “logging cruft“, making it easy to
find. Intrusion detection sensors pick up on this easily!
Most simple implementations have no way to authenticate the
knocker. How do you know its who you think it is?
Most port knockers require some sort of client or script to work,
not always available to you.
Many knockers require the src of the packet to be the actual
host asking for access, when in many cases it may not be (ie:
weird NAT translation)
Dana’s Way with ICMP
Can bypass most IDS sensors as “normal” traffic
 Uses typical ICMP traffic allowed by most
firewalls
 Doesn’t require special tools to craft packet
sequences, can be done with Linux ‘ping’
command
 Was written over 5 years ago before port
knocking was a common thing

Introduction to Cerberus – Dana’s Port
Knocking Daemon
Small daemon written in C tied to libpcap which
sniffs all inbound ICMP ‘ping’ packets (type 8)
 Requires very little overhead and doesn’t have to
look for packet patterns or watch system logs
closely.
 Uses some simple, yet effective techniques to
provide rudimentary authentication

How Cerberus Works

Looks for specially crafted ICMP type 8 ping
packets. Once found breaks packet payload
down into:
struct {
2 byte
1 byte
1 byte
8 byte
4 byte
}
Initiator (0xDEAD)
UserID
ActionID (Action sequence)
One time Password (OTP)
IP address (Dotted decimal to Hex)
How Cerberus Works – The OTP

The One Time Password is a hash of:
The current date and time up to the last minute
 A system ‘server seed’
 An individual user passcode
 The IP address to allow in (in dotted decimal format)

Hash used is an MD5 of that data concatenated
together
 OTP is the last 16 chars of that hash result

Crafting a Cerberus Packet

Make the OTP:
date +%d%m%y%k%Msome_seedmy_pincode204.244.123.234 |
md5sum | cut -c 17-32

Send the packet:
ping -c1 –p “dead4201f0b70bc031a365e9ccf47bea”
mymachine.com
Packet Pattern Breakdown
User ID
Hashed OTP
dead4201f0b70bc031a365e9ccf47bea
Initiator
ActionID
IP address as HEX
Received packet breakdown
16:26:45.021294 IP stinger.scorpionsoft.com >
S02060005180002c5.va.shawcable.net: icmp 64: echo
0x0000: 4500 0054 27ff 0000 4001 93c3 ccae 1305
0x0010: 1850 c6e3 0000 7a57 f3ca 0000 40c8 ec5e
0x0020: 0000 7695 dead 4201 e394 db11 58d4 23ac
0x0030: ccf4 7bea dead 4201 e394 db11 58d4 23ac
0x0040: ccf4 7bea dead 4201 e394 db11 58d4 23ac
0x0050: ccf4
reply seq 0
E..T'...@.......
.P....zW....@..^
..v...B.....X.#.
..{...B.....X.#.
..{...B.....X.#.
..
Things to consider when writing your
own version of Cerberus





Strength of cryptography. Hash is only as strong as the
seed and passcode.
Time synchronization. Use time drift techniques to
combat sliding time window.
Not all firewalls allow pings through from untrusted
hosts.
Not a replacement for good ACL and strong
authentication… It is merely an augmentation to a
defense in depth posture!
Optimize code, drop ping floods or expect to be DoS!
This document is provided for informational purposes only.
SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2004 Scorpion Software Corp. All rights reserved.
This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.