[penguinduck]

I can copy your knock and get access, I can deny you service by messing up your knocks by sending packets with a fake IP, it is also insanely inefficient in the amount of data and time spent vs the amount of information exchanged

[justinsaccount]

> I can copy your knock and get access,

You can? how? I just logged into a server using port knocking. what was my knocking sequence? What do you have access to?

> I can deny you service by messing up your knocks by sending packets with a fake IP

Ok, I'm ready when you are.

> insanely inefficient in the amount of data and time spent vs the amount of information exchanged

I don't even know what this means. How is a few extra packets at the start of a tcp connection "insanely inefficient" ?

[tptacek]

Who cares? Serious attackers have access to the actual TCP connection you make to sshd. If there's a preauth vulnerability in sshd, they'll just use that to deliver the payload.

Port knocking is silly. If you're scared of preauth sshd zero-day, deploy an encrypted tunnel.

[Nokinside]

How big percentage of attackers have access to TCP connection and can do MITM attack?

[drudru11]

Serious attackers have physical access

[tptacek]

1. No.

2. What's your point?

[penguinduck]

Now you are being intentionally obtuse. Bye.

[Nokinside]

>I can copy your knock and get access,

Replay attacks don't work against proper port knocking.

Take for example, knockknock-daemon. It sends just one SYN packet where packets IP and TCP headers are encrypted request to open a specified port. Port is closed after connection.

https://github.com/moxie0/knockknock/blob/master/knockknock-...

[penguinduck]

Entirely possible, as I said this is the first time I read about this, so the port knocking I refer to is the kind described, which is using a sequence of ports as a key.

I don't know python but this implementation seems broken in the same way (or more precisely, under the same circumstances). I just realized, you don't even need to copy the knock. If you have access to the network traffic (which you would need to copy the knock in the first place), you also have access to the TCP sequence numbers. You can just connect from the user's IP after he performs the knock, or even let him connect and inject packets at some later point. This program seems to rely on the TCP authentication of IP address which is completely negated if the attacker can monitor traffic.

Am I misunderstanding how this program works?

[Nokinside]

The goal of knocking is to expose running services as little as possible and do it in a stealthy way.

An observer watching packets has no way to know that the SYN packet transmitted is a port knocking request. Even if they know, there is no way to determine which port was requested to open.

[penguinduck]

I don't understand what you mean. How would you prevent the attacker from knowing the port, except by only sending the port knock, and then never actually connecting?

Let's say the attacker has no idea you're using port knocking and even somehow missed your port knock packet completely, but after that captures subsequent traffic. He will still see the sequence numbers in the SYN/ACK from the server which is all he needs. Once he has that, he is an equal party to you (the legitimate client) in that connection.

[Nokinside]

Ah. I get your point.

Tell me what percentage of attackers on the net have full access to the network traffic and can do full MITM attack?

If the goal is layered defense and minimizing exposure, worst case scenario is not good counterargument.

[penguinduck]

You don't need to be able to do a full MITM attack. You just need to be able to read the traffic, not modify it.

And if you believe this is an unreasonable assumption, why did you link me a program which says in its description "The problem with the original concept was that if your port sequence was observed by passive eavesdropping, it was easily replayable." ? It tries to solve this exact problem - a sniffing attacker.

I am just explaining why this program fails to solve the problem you claimed it solved in your original reply. Surely you can understand that.