Knock, Knock! Who's There? A New Type of Port Knocking, That's Who

all right I'm gonna start then Hello everybody welcome back from the break um people like jokes I like jokes all right let's let's test how we've recovered from our carb loading at lunch knock knock a new kind of Port knocking that's who so one thing I had to switch to my backup technology here and so it's a little weird I have to slide if I'm a little off somebody just pointed out the slides aren't heavy we'll get through it if you were here last year you know how I started it's not with jokes my friends if you're new well here we go I start with questions to get us warmed up this is going to be my question to you and

I'm going to select a couple people at random so you cannot hide if you think I can't see you I can and I'll smell the fear like a good predator and I'll call you out here's my question I'll give you a second to think about it why I set the rest of my presentation up what are Empires build upon think about that what are Empires built upon so what we're going to do today together is we're engaging a story I'm going to tell you a story I'm not going to tell you who I am my name is Jason by the way that's all I'm going to tell you because I don't know what else matters you can ask me any

question you want at any time and I'll answer if you're curious about something about me about the presentation about my thoughts on just about anything but I'm going to tell you a story when I was teaching at High Point University in High Point not far up the road I had a student come into my office one morning and if any of anybody ever remembers what it was like to be in Academia whether you're on the faculty side or the student side or like me you ended up doing both over your career some warnings are rougher than others some warnings are rougher than others that's code for I had a hangover so everybody remember the question what

are Empires built upon my friend right here as you took a drink you knew it was coming what do you think Empires are built upon first thing that pops in your mind Emperors that's a good answer my friend right here in the glasses in the black shirt beer oh man I'm thirsty fear and Emperors those go together right my man in the green ideals besides Raleigh I'm gonna tell you that Empires are built upon the bones of those beside you so I want us to look around to our left to our right these are our sisters and brothers and warriors who together as a community have the moral obligation the moral obligation to build the Empire

of cyber security together and secure the future are you with me

skulls for the skull Throne come on it begged it so here's the nature of the story anybody who Raymond Chandler was all right you like olds right he's sitting with a hangover in his office the girl comes in oh this bad thing happened Raymond Shannon was the author of all left some of the best fiction ever written I say in the 20th century in America and this was a Raymond Chandler type of morning again I wasn't feeling at my best and I'm here to tell you the truth sometimes as much as I love lecturing as much as I looked presenting I didn't really want to talk to anybody especially on this Raymond Chandler morning and I heard the door open up to the

office suite I was the only faculty in the office that morning and I thought to myself here we go and I heard the footsteps coming towards my office and a little head poked in my door and he had this floppy hair I mean he looked like a muppet now I can say that because we actually built this technology together but he couldn't show up so I can make fun of him all day and he's not here to defend himself his name's Kyle one of the best students I've ever had in my life and he said to me is Port knocking detectable and I said do you even Network bro now who in here has ever heard of Port

knocking be honest all right a non-truby amount of people of the people that raise their hands have you ever used it either on your own systems on a small office Network in a giant Enterprise who's actually used it one in the back right there three that cut like in a third so of all the people that raised their hand that have ever heard of it probably less than a third of you have actually used it so the people that use it do you still use it a little bit okay right on he said to me I know the OSI model now if you've ever taught undergrads when somebody says I know the OSI model my

response is well then let's find out because now you have my attention not something a sophomore or undergrad usually knows so a little bit about Port knocking because the majority of you didn't raise your hand i'm gonna assume maybe you've heard the word because I've said it like 10 times already but you out don't actually remember when it came out it came out in 2005 26 because it started with a really simple discussion on like a Usenet listserv type thread which was in a firewall rule what is the difference between drop versus reject or deny whatever the language is anybody know

that's right and that that reply often is like a combination of reset at right that is a big difference because if you reject denying you send that back you're transmitting which means by inference my friends what that you're there and listening if you just drop and just kick it in the trash there's no reply nobody knows you're there what a revolutionary concept and from there some clever people said hey wait a minute hey wait a minute what if I write a service a simple demon that interacts with a host firewall that listens for incoming ports drops them but then does stuff like who's there me because I know the knock sequence oh man that's really cool isn't it

and it does work it's a really simple concept because of that and one other thing this is so Paradigm shifting we're used to connecting to a system putting in a username and a password hitting enter and if it matches it lets us in right we do that like a thousand times a day I feel like I do this system says no if you know the secret knock you're authenticated by inference so once you knock correctly I'm letting you in that's a big paradigm shift and so Kyle and I had this long conversation about can you detect Port knocking and we published some research on it we went on to do bigger and better things he graduated and he's getting married

and I don't know what he's doing but he ain't here this weekend so now I can tell all kinds of crazy stories the core principles of Port hockey when it came out in actual software because it exists there's a dozen or so Forks of the main project there's all kinds of versions the core principles concealment not obfuscation we're concealing via that drop but we are actively listening for the knock sequence and the idea is that instead of exposing something like SSH as a common form I can conceal it because of that behavior and if you know the knock the service just opens up that port and now you can connect so think about that that's a

linear chain of events right knock and there's different forms of do I knock once do I knock twice do I knock three times four There's No Limit you can change it you can build your own I did that's what I'm going to talk about for the next 40 minutes and the authentication is baked into it really simple elegant Solution that's Empire Building here's a cool little graphic and not the best art you've ever seen on a PowerPoint slide yeah the client knocks once twice Thrice PKD that's just some abstract version of the port knocking demon says yeah you knocked correctly those are the right ports Because by the way knocks are ports so I just send a packet it could

be send flagged super simple to a destined Port so let's say six thousand seven thousand eight thousand why not let's just go in thousands in order and when that's correct the demon says hey that's correct just open up SSH and now anybody can connect assuming that the only person that's going to be trying in that millisecond is the person that knocked is it detectable who thinks it's detectable yeah yeah yeah of course it is of course it is it's not encrypted and even if it were it still has a header that has to be visible right and somehow you're getting to those porch you can't totally hide that otherwise then I guess it is obfuscated

and I can't even see it like that back road back there I need a visor like a blackjack dealer but there's two caveats because now we've got to be honest hypothetically or in a lab environment have you actually ever tried to detect Port knocking has anybody actually ever tried it in a lab were you able to detect it okay me too check this out what tell me if you agree or disagree with this thing because we're the only two in the room that we've ever [ __ ] done this experiment right two caveats I'm gonna put on this tell me where I'm wrong one you have to be able to tap the traffic obviously right because I'm going to

capture it so how do you capture Port knocking on the internet has anybody ever tapped an internet link that's gonna admit to it all right right okay so that's one cave you agree with me right my friend thank you caveat two that that link cannot be super noisy because if it's super noisy full of all kinds of traffic how there's just too much volume now of course we could build some advanced technology to parse that all out fair enough if you're clean with Wireshark or TCP don't even build some filters but how wrong am I thank you my friend so with that in mind now we can step back and say okay look we got us cool

elegant solution for concealed remote access that although in practice and principle it ought to be detectable and it is there's two caveats of that that probably like you're not tapping the internet and even if you could it's probably too damn noisy you ain't gonna see it okay but let's say you can or can't we'll put that aside are there any problems with it from a first principle so think about this think about how I describe this word what do you think what's wrong what other vulnerabilities in the system are there it'll alert a Defender to you it's like if you're trying it trying to brute force it yeah and so on that we can infer something

there's no client authentication the authentication is baked into the port knockings but I don't know who you are anybody that knows the knot can knock right I mean anybody ever hide behind the couch when somebody knocks on the door and you know they're selling vacuums like I don't want to talk to you right what else any other ideas yes yes great idea how about this what if I am able to capture the knock we just inferred that it's not client authenticated I can replay it right I'm not checking like sequence numbers and deep packet inspections I'm just looking for TCP ports okay come on in okay in fact there are a trunk full of issues

with Port knocking if you're analyzing it in like a first principle way I clearly some of us it hasn't stopped us from using it right but that's not bad but then the question becomes and this is part of the story of curiosity we know it's detectable at least in certain cases we know it's an elegant Simple Solution it works it works for sure it works but can we make it better can we do something or a set of things to at least negate some of these systemic issues and yes we can anybody ever try single packet authentication some people call it single packet authorization it works pretty good too isn't it and it's basically just like one UDP packet

stateless and you're good to go that's a really simplified explanation but I'm going to get into it later because we baked it into ours there are some deeper impact pack inspection schemes where they look at sequencing numbers in addition to the port Knox uh some people tried some really slick stuff with cryptography using and encrypted basically ipsec vpns but if you got that why do you need this that's kind of screwy and now Coleman that's our solution how cool is that that's the baddest ass name of all time I invented it so here's the design and I'm going to tell you up front I was originally going to run a demo of this but for my friends that have used Port

knocking or anything similar to that it's super boring to watch like it doesn't show you anything not like that cool SQL stuff that was slick that's a good demo or the windows hacking those are good demos watching Code yeah so I'm going to show you some code as I walk through this but we started from a design how do we Design This from the ground up so that it doesn't have those issues or at least not most of them and we get something that's robust first things first it has to be functional it has to work and from the get-go we designed this to be Enterprise ready not my home lab with like my wife thinks I have 20 computers I

actually don't I have like 22 I had two in the closet she doesn't know about it that's all right it needs to be multi-user that's the other thing with Port knocking if I want you to knock to my server and I want you to knock to my server now I do I let you both have the same lock if I do how do I tell the difference do I give you two different knocks now I gotta run two demons two servers see that's why there's two in my closet you got the joke thank you thank you thank you here's the other thing too by the way I didn't mention this is important when you knock you know what server you're

knocking to you assume and fair play right it's probably yours but you're still making an assumption so there's no bi-directional authentication either back to this we wanted this to be pseudo anonymous because it's multi-user and so when I show you client registration I want to impress upon you that we have no way to know who somebody is we only know that we registered them or when you register your friends and family and the community cyber security you don't have to know your name's John I made that up I hope it's not I just know that you're in here and I have your keys that's all I have to know about you pseudo anonymous has to be

resilient and it needs to scale and be centrally managed it's the 21st century I'm not building and deploying software even in my home environment for my own use that isn't centrally managed I'm not doing it anymore dudes not doing it so we have a design in principle now let's design the overarching algorithm of how it's going to work first and foremost we register clients so there's a facility to do that when we do that we do a set of sub things we generate two sets of keys a symmetric key and a public key set okay the next piece assuming clients are registered now the clients want to interact with the system this is where our version of spa comes

in okay we have what's called we call it Preamble and so it's a one packet blip when the software's in debug mode it will send an act just so you know it's working you can turn that off and it's just a little blip that contains a unique hash fingerprint the counter I'll explain the counter in a second and a little bit more information and what that does is it triggers the system to say a registered client is getting ready to communicate with me I'm going to set up the knock system and then how does the NOC system actually works here's the secret sauce but it's not a secret anymore because I'm going to tell you about it okay

we use otps to generate the port sequences there's no static ports in this system they rotate every time a client sends this Preamble successfully and the server recognizes them now come on you've got to give me an Applause for that right that's some [ __ ] dark sorcery I think it was clever it's inelegant riff off of it because that's one of the problems with fortnite that's why you can replay it because it's the same ports every time so we thought to ourselves from first principles well how do you avoid that you use an OTP and you just change it who cares and then it's all IP tables after that this is the implementation there's three parts

Three core Parts there's Conan Coleman server and then Coleman service really breaks down like this the heart of all this is in common underscore server that's the tcpip level demon that's what's listening for the Preamble for the ports that are the knocks it's what interacts with iptables that's the core common is a command line interface to the server so when you want to register clients you can de-register clients you can reset counters you can revoke keys if I if I have a traditional Port knocking system and I let you connect how do I kick you out I mean I could change the ports but then it breaks it for everybody else too in this system everything's unique to each

client so I can revoke your access I can revoke your keys okay that seems pretty cool and then come and service goes with Coleman anybody here familiar with flask python flask that's a python flask stack here's why because we want to build a web admin panel for it because I told you it's Enterprise that's why as much as I love command line I'm getting old people my hands are slow and brittle so I like web so that's not implemented although it's there and it works so Komen Works through Coman service they can interact with coins server to get a list of clients to list the keys register deregister revoke all that stuff and then the common server does the

heart of it that all breaks down in the code into two parts we call them The Supporting Cast there's three crypto handlers symmetric asymmetric and we need hashing and then there's eight utility handlers these are the utilities like registered clients um do what we call the remote access sequences fancy name for Knox they're just not knocks anymore now it's a 15 digit hash based OTP that gets broken down into three knots that's also configurable because I told you it's Enterprise all enterprise software is configurable right and so you could change it to one knot of five numbers you could scale all the way up to well I don't see how much you can take and there's some other

utility handlers in there all right I promise you code by the way by the way if you like this code because I think it's super sexy I wrote it if you think it's trash python Kyle wrote it easy way to tell another reason why I decided to show the code is because I also comment my code and you can see in here we have some problems you'll see in the comments that I've left myself little notes that because this is beta we have some things to fix some of you this is who in here this is your first like conference ever anybody yeah in the back right all right I was I had a first day too we

all do and I had no idea I would ever be up here showing this I had no idea I could build software on the scale not on the first day but now I'm like on day I don't know what's 10 years times 365 a lot okay that's just a Time problem right so the other reason why I wanted to show the code with the comments because this is in our repo I'll give you the link to the GitHub at the end anybody can do this this is why we're all brothers and sisters in the same Community you're capable of this if you want to do it and you put the time in so anyway back to pseudo Anonymous

registration we generate Keys asymmetric symmetric we look for some client IDs this is really trick and clever how do you think we build the client ID because that is unique per client close good guess it's not the OTP it's the fingerprint of the key well it's a public key system so you need that for signing anyway like I'm not giving you anything if you're snooping like you could already derive that okay cool but it's Unique to that key which is by inference unique to the client last but not least the counter here's why we keep a counter because it is an OTP and so your eight OTP based on your ID which is a fingerprint that's unique to your keys

and it starts at zero dictates which OTP gets generated and then every time you start that process the counter goes up in the Preamble negotiation I'll share that in a second we have a mechanism to check for that because of course with otps you can get desynchronized so we have the ability to re-synchronize the counters see we thought of everything didn't we who wants to pay me a million dollars for this right now sell it no takers okay I haven't shown you all of it yet here's the preamble we actually thought of this last we built everything and it was kind of working and we're like man but something's not right dude like there's some there's some issues

that we didn't cover from that trunk of issues like what are we going to do I'm like wow why don't we get a preamble right like when you knock pardon me when you knock on my door I say who is it and you're going to say it's Frank now if I know it Frank which I do and I hear your voice and you sound like Frank I assume you're Frank or maybe I got a people I can look out or both that's kind of the concept of the preamble so real simple it's just the client ID it's the rack sequence so a remote access code is an individual knock all of them put together in one string is

the sequence and we send them all in a burst okay and then the current counter the server checks that against its database of registration it checks the counter for that client and it generates an OTP to match it to see if it matches pretty mature OTP and then like I said in debug mode we send an act just so you know you can turn that off and it just gets dropped you don't know anything but the important part last but not least what this does is it sets in motion the interface to the IP tables by the way if you're curious this is what it looks like when we generate the sequence and so by default this is set

to 15 digits long do the math that's three remote access codes of five digits each why five digits well what's the maximum number of ports 65 535 and so each sequence can range from zero to the max each of the codes in the sequence you can configure that you can have it be five of those you could have it be one of them if you're feeling spicy that day I don't know maybe you want to try it I did it works it worked but that's important because of the space that's an almost I'm gonna go out on the record and say ungroup forcible space and then here's the part of it what I'm showing you here is the last

step is anybody familiar with IP chains and iptables okay I'll give you a quick breakdown it's actually really cool technology built into it you have a firewall and the firewall is a list of rules in the process sequentially right and then in IP tables this is Linux you have different tables one for forwarding one for input one for outputs you can filter on that table and that's the direction of the traffic right you can put chains on those tables and a chain is exactly what it says it's a linked list like a chain of links right and so the way this works simplistically explaining it is we set up a chain of subtables that represent

the the first remote access code the second one the third one and then the fourth one which is the SSH access and those match the OTP this is why the client has to send the preamble that comes in registration gets checked if okay generate that off that sequence and now you're set and so the knot comes in the knock comes in that's the sequence server checks it and then generates the chain client now sends the remote access code sequence in Step pass pass pass SSH time quick aside when we first did this we were thinking about well we tried a package to interface with IP tables because it had a nice wrap or two and

gave you nice method exposure this is all object oriented um but man it made it really hard to read the code and figure out what was going on and because of the complexity and the space of possible most remote access codes we have it got tricky and so I made the executive decision to say screw it let's just do sub-process calls and write the iptable commands just like you would if you're working from the command line I don't think that's better code I think it's more readable code which makes it more maintainable that was to be transparent the decision then yeah and there you go by the way real quick with chains too if you're not

familiar if you send the right first code with the wrong second one you get kicked back to the first one that's pretty cool right if you get to this one and something goes wrong it'll kick you all the way back to the beginning all the rules are also set with expiration timers so this is only live for connection for the whole set no access code no access code we want access code SSH for I think it's 30 10 10 10 seconds and that's it then it's gone then you've got to resend the preamble our current status I'm going to call it beta it's probably a strong Alpha there's a couple three or four known bugs that we have to

work out to be honest with you we took the summer off we worked on this for a year and a half we actually have a patent on it too um and then we needed a break he's getting married I had other stuff to do so we have known bugs but it is usable it does work we have a lot of upcoming features for this we have the web admin portal that we want to build just because why not I like it we agreed on it let's do it we have a mobile app client that we're building for this that has everything baked into it you just press the button that handles it um and there's some other cool things we

can build off of this because of the robustness and what I think of is Enterprise ready not that I'm going to sell it to like IBM I don't care they can use it it's open source but it has some cool potential to it including distributed swarming that's really the idea for the clients and that's why it had to be pseudo anonymous um and there's the GitHub so who has questions anybody yes

we have we have and there's no reason why you couldn't um because we don't do anything funky in the Stream so think about like a TCP stream a transport and above we don't even look at it because once the room access codes come through and you get that last one then you can connect to the system and then now you're just connected to SSH like if it was open to begin with yes no no um so the question was are we is it really intended for session protocols only and really the way we designed this is to be protocol agnostic and so everything's configurable so we have some exposure because it has to listen for the Preamble on a on a design

Port right well you can change that port and you can do anything with that and it's single packet by Nature so that's not a big risk for us and then whatever you want uh if you want to do web instead of SSH go for it if you have a custom demon you wrote you want to put on some arbitrary Port who gives a [ __ ] just you just got to stick it in the config file and this will react to it does that answer your question

oh that's your question connection established yes

you would have to modify it from the configuration file to do that I misunderstood what you meant I think the first time thank you for restating that anything else anybody in the back yes my friend

it's clear

yeah yeah you could um but because it's an OTP you have like 30 seconds the man uh potentially potentially sure anybody else yes

right sure so uh basically what you're asking is what happens if in like a three remote access code sequence I lose packet two right uh worst case scenario you re-synchronize you re-synchronize um after 30 seconds the rules will be expunged out anyway and so it's reset and then the client will just need to basically restart that initiation again we thought about rigging up like some sub communication so that the client would know because I think that's bad ux design but now we already have a couple exposures I that's bad I wouldn't do it even though I want to good question

all right I have a question for everybody else because I got a minute right who in here now compared to 40 minutes ago is inspired to build something for yourself anybody who's going to go home yeah right in the back do you have an idea what you want to build

I thought you're going to say a man in Middle for it That'd Be Clever that'd be clever and this is really the heart of it I'm not going to sit up here even though I make jokes about selling it we have no intention of selling it everything we produce through that LLC he set up is open source by nature and it's meant to be because we just want to get we want to drive our curiosity and build tools we hope people use them we use them but that's really the spirit of it I think that's the spirit of this community uh and I think that's how we build a secure future for us and everybody else I

really believe in that all right anything else

thank you very much thanks for having me [Applause]

it is I'm gonna play right beside the first one the stack up thank you very much