A port scan reveals port 22 closed, and then you send a packet where to
open it? How does this work completely?
What keyword should I use to find out more about that type of mechanism?
And pureh@te I loved your experiment, especially the way you described the process.
- Poul Wittig
Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69
Yeah it is like port knocking. It is also called single packet authorization. Basically i wrote a client side component that crafts a UDP packet with a pre-shared key and a timestamp that is encrypted with the public half of a RSA key pair. For the server side, i wrote a libpcap listener that passes the packet to a program that will decrypt the packet with the private key. If the preshared key and timestamp are with the accepted limits, then it opens the ssh port for that specific IP for a brief amount of time to allow for the connection. It then remove that rule that allowed for that connection, but since that tcp connection is now in an "established state," the traffic will be allowed to pass.
So even if you connect to your ssh at a coffee shop or the airport, anybody in the middle could tell you have a ssh connection to a specific ip and port, but their scans of that ip will say that the port is closed. And so what if they intercept the UDP auth packet, it has a timestamp in the encrypted payload and will be rejected if attempted to be replayed later. And even if they did replay it within the accepted time frame, it would only open the ssh port for a very brief amount of time.
I know its kind of over kill for shh, but it could also be used to hide other services you want to offer only semi-publicly, like a cisco vpn, or and rdp connection.
KMDave: I would share it, but I am actually in the process of trying to bring it to market (if there is one for this...at least have to try). I have done a number of things to try to scale this up to be usable on a larger scale.
For the client, I built a windows gui in c# that is kind of a cross between putty and the gui client for cisco. It allows for a xml config file to be dropped in like a pcf that loads a user up with rdp/web app tunnel configurations and performs the single packet auth and ssh connection. I also use a two key system for the UDP payload, one common key for all users and one unique for all users.This provides the server a user signature......so i can log who is using the systems and at what times...and should someone's laptop become stolen or compromised, I only have to replace that users individual key.
For the server side, I integrated the ssh server with AD, and give all of the users a dummy shell. That way they can tunnel stuff through ssh, but they cant mess anything up through a direct shell connection.
Maybe I am giving away too much already, but i am very interested in peer review. I work for a microsoft shop, and all this kind of flies in the face of what they are doing. So i get a bunch of blank stares when i try to explain this. But i do have it working in production and many of my coworkers use it.
I welcome anyone who would like to comment on this or know more about it to shoot me a PM, thanks
dd if=/dev/swc666 of=/dev/wyze
Good luck then, I wish you the best, if you need a tester or alike, I'd help out
Thanks a lot for the link I am going to read up on it. I owe you a useful link
Tiocfaidh ár lá
I've been thinking about this, trying to see if i could break it. Just a idea, i would like you feed back if is possable. could you send a packet with the mac of the firewall, and if you have a routing protcol in use,use the ip address of mutlicast(for the protcol) to beable to comuncate to it.??sure thing. pf and openbsd are unique in that it is possible to bridge the LAN nics to the WAN nic so that if you have a stand alone box like I have then the firewall in essence has no IPs on the LAN therefore it is impossible to attack. I got all my help from wyze and PrairieFire who were already implementing such a system.
Heh, that's awesome ^^.
Looks sexy too :3