Port Knocking

[sven.schott]

Has anyone seen (or written) any port knocking implementations in Ruby?
I couldn't see any in the RAA or RubyForge (unless it's under a name I
missed). Is there any interest for this sort of thing? I wrote a
mini-script to do it with ICMP but I'm not a programmer and it most
likely bites.

http://www.spannermonkey.info/rknock.html

It requires libpcap and ruby-libpcap. Suggestions are welcome. I wanted
to be able to knock without a client, hence the ping thing.


Sven

 

[x1]

Pretty neat.. I was interested in doing this a while back but never
got around to it (and never will at this rate).

Are typical port-knocking setups tcp or udp based? I would think that
the handshake portion would be UDP..

Because ICMP is filtered by many ISPs, how difficult would it be to
set this up with udp?

 

[sven.schott]

Port knocking is normally TCP and UDP although there are a number of
implementations with ICMP. It wouldn't be much harder to do with UDP
but that means that a client would be required as I don't know of
any(standard) unix programs that can send custom TCP or UDP packets.
I'm looking at fixing a few of the things in the script like the
timeout <shudder/> so I might throw in an option for TCP/UDP and a
small client.

 

[Wilson Bilkovich]

Port knocking is normally TCP and UDP although there are a number of
implementations with ICMP. It wouldn't be much harder to do with UDP
but that means that a client would be required as I don't know of
any(standard) unix programs that can send custom TCP or UDP packets.
I'm looking at fixing a few of the things in the script like the
timeout <shudder/> so I might throw in an option for TCP/UDP and a
small client.

Check out Timeout, part of the standard library.
http://www.ruby-doc.org/stdlib/libdoc/timeout/rdoc/

Also, you can portknock on TCP with any web browser. Just in case that help=
s.

 

[sven.schott]

Thanks for the tip. I've been wanting to implement a proper timeout.
The current one is packet dependant. It works, but it's not nice.

I tried telnet and netcat to portknock but if there's no port open,
nothing comes up in the dump. I don't know why that is but I'm guessing
that libpcap only shows the packets if the TCP session is established.
Maybe there is an option to change that behaviour but I couldn't find
it. You can try it just with tcpdump -n. When you try to connect to
the local ip address using port 7000, it doesn't show up in the dump.
Same deal with ruby-libpcap(same library).

require 'pcap'
dev = Pcap.lookupdev
cap = Pcap::Capture.open_live(dev)
cap.loop do |pkt|
puts pkt
end

I am using MacOS 10.4 so it may be some Mac weirdness at the kernel
level or how libpcap talks to the kernel but I've had no success so
far. That's why I was interested to see if anyone else had done it.

Sven

 

[Andy Delcambre]

Port knocking is normally TCP and UDP although there are a number of
implementations with ICMP. It wouldn't be much harder to do with UDP
but that means that a client would be required as I don't know of
any(standard) unix programs that can send custom TCP or UDP packets.
I'm looking at fixing a few of the things in the script like the
timeout <shudder/> so I might throw in an option for TCP/UDP and a
small client.

If you are wanting to test, hping ( http://www.hping.org/ ) can send
arbitrary packets (of pretty much any type).

Might look into that for udp/tcp testing.

Andy Delcambre

 

[Paul Duncan]

--NIe73rPL8TFc/U1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Has anyone seen (or written) any port knocking implementations in Ruby?
I couldn't see any in the RAA or RubyForge (unless it's under a name I
missed). Is there any interest for this sort of thing? =20

Probably. I've been using Ruby more and more frequently in place of
Perl for system administration tasks, and every little google hit helps.

You might also be interested in the recent Ars Technica article about
monitoring packets with libpcap and Ruby:

http://arstechnica.com/articles/columns/linux/linux-20051002.ars

I wrote a
mini-script to do it with ICMP but I'm not a programmer and it most
likely bites.

All I know is your debugging output is great!

When it's finished will it say "Chevron 7 locked" or "Chevron 7
engaged", or both?

http://www.spannermonkey.info/rknock.html
=20
It requires libpcap and ruby-libpcap. Suggestions are welcome. I wanted
to be able to knock without a client, hence the ping thing.

--=20
Paul Duncan <[email protected]> pabs in #ruby-lang (OPN IRC)
http://www.pablotron.org/ OpenPGP Key ID: 0x82C29562

--NIe73rPL8TFc/U1V
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFDqV3czdlT34LClWIRAsyZAJ90AQhbvJZoIzqj9khr/LiarTbO0ACdE0j/
zPi9qsiHiKsXk0E4Q3Glq8w=
=Xzfp
-----END PGP SIGNATURE-----

--NIe73rPL8TFc/U1V--

 

[Derek Chesterfield]

You can try it just with tcpdump -n. When you try to connect to
the local ip address using port 7000, it doesn't show up in the dump.

To dump packets to/from the loopback, you need to tell tcpdump to
look at the correct interface [otherwise it defaults to the Ethernet
- en0 on Mac OS X]: