[penguinduck]

Could you explain why single-packet authorization is cosmetic? This is the first time I've read about these, and while port knocking is clearly broken in multiple ways, I don't immediately see the flaw in SPA, except for the fact that storing hashes of previous packets and comparing against them is inelegant.

[justinsaccount]

> port knocking is clearly broken in multiple ways

What are those ways?

[penguinduck]

I can copy your knock and get access, I can deny you service by messing up your knocks by sending packets with a fake IP, it is also insanely inefficient in the amount of data and time spent vs the amount of information exchanged

[justinsaccount]

> I can copy your knock and get access,

You can? how? I just logged into a server using port knocking. what was my knocking sequence? What do you have access to?

> I can deny you service by messing up your knocks by sending packets with a fake IP

Ok, I'm ready when you are.

> insanely inefficient in the amount of data and time spent vs the amount of information exchanged

I don't even know what this means. How is a few extra packets at the start of a tcp connection "insanely inefficient" ?

[tptacek]

Who cares? Serious attackers have access to the actual TCP connection you make to sshd. If there's a preauth vulnerability in sshd, they'll just use that to deliver the payload.

Port knocking is silly. If you're scared of preauth sshd zero-day, deploy an encrypted tunnel.

[Nokinside]

How big percentage of attackers have access to TCP connection and can do MITM attack?

[drudru11]

Serious attackers have physical access

[tptacek]

1. No.

2. What's your point?

[penguinduck]

Now you are being intentionally obtuse. Bye.

[Nokinside]

>I can copy your knock and get access,

Replay attacks don't work against proper port knocking.

Take for example, knockknock-daemon. It sends just one SYN packet where packets IP and TCP headers are encrypted request to open a specified port. Port is closed after connection.

https://github.com/moxie0/knockknock/blob/master/knockknock-...

[penguinduck]

Entirely possible, as I said this is the first time I read about this, so the port knocking I refer to is the kind described, which is using a sequence of ports as a key.

I don't know python but this implementation seems broken in the same way (or more precisely, under the same circumstances). I just realized, you don't even need to copy the knock. If you have access to the network traffic (which you would need to copy the knock in the first place), you also have access to the TCP sequence numbers. You can just connect from the user's IP after he performs the knock, or even let him connect and inject packets at some later point. This program seems to rely on the TCP authentication of IP address which is completely negated if the attacker can monitor traffic.

Am I misunderstanding how this program works?

[Nokinside]

The goal of knocking is to expose running services as little as possible and do it in a stealthy way.

An observer watching packets has no way to know that the SYN packet transmitted is a port knocking request. Even if they know, there is no way to determine which port was requested to open.

[penguinduck]

I don't understand what you mean. How would you prevent the attacker from knowing the port, except by only sending the port knock, and then never actually connecting?

Let's say the attacker has no idea you're using port knocking and even somehow missed your port knock packet completely, but after that captures subsequent traffic. He will still see the sequence numbers in the SYN/ACK from the server which is all he needs. Once he has that, he is an equal party to you (the legitimate client) in that connection.