TCP Stealth hides open ports

TCP Camouflage

Data Integrity

As I mentioned previously, the typical port knocking setup does not provide any protection against man-in-the-middle attacks. The typical argument here is that the application itself is responsible for this kind of protection. However, a very short time slot still provides an attack vector. This is the period of time between successfully knocking and the connection being established at the protocol level.

In the present case, this is equivalent to the phase between successfully authenticating via the PSK through completion of the three-way handshake. TCP Stealth can provide protection here by checking the integrity of a small volume of data. The idea is that the client injects additional information into the first data packet. The server checks the correctness of the data and either allows the connection or rejects it.

The implementation follows principles that are similar to authentication using the pre-shared key. The integrity check is performed before establishing the connection by configuring the network sockets appropriately with setsockopt(). To allow this to happen, the kernel patch mentioned previously introduces the TCP_STEALTH_INTEGRITY and TCP_STEALTH_INTEGRITY_LEN options. The former is only relevant for the client side; the additional data is defined separately.

In contrast to this socket option, TCP_STEALTH_INTEGRITY_LEN is only used on the server side; it states the volume of data that is relevant for the integrity check. At the current point in time, this check is not possible without authenticating.

Figure 3 shows the three-way handshake with TCP Stealth enabled and an integrity check. In the first step of establishing the TCP connection, the client sends information relating to the PSK in the ISN. Where the client normally completes the handshake, it initiates the integrity check. TCP Stealth again relies on the MD5 checksumming method. The input data is the PSK and the integrity-check data mentioned previously – simply concatenated.

Figure 3: The three-way handshake in TCP Stealth with an integrity check enabled.

The 128-bit checksum is broken down into eight chunks of equal length by TCP Stealth and then XOR'd. The result ends up in the second part of the 32-bit ISN. In the first 16 bits, TCP Stealth hides the PSK (see above). Once the additional data has been transferred in the third step of the TCP connection establishment, the server can perform the integrity check. You can read all about the precise details online [8] [12].

Closed Doors?

For an application to be allowed to use TCP Stealth, it must set the appropriate socket options. In other words, this makes both modifications to the source code and creating new binary code inevitable. That said, if you are a regular user of open source, you will not have any trouble doing this. However, for many applications, users only have access to the binary and have no access at all to the source code. Again, TCP Stealth has a trick up its sleeve to solve this, as well.

The magic word here is libknockify [11] [12]. This is a library that the developer loads using the LD_PRELOAD mechanism before executing the application itself. At program run time, libknockify overwrites system calls such as getsockopt(), listen(), or connect() with the TCP Stealth counterparts (see also Listing 3). You can configure the PSK or the required details for the integrity check either via the shell environmental variables KNOCK_SECRET and KNOCK_INT_LEN or you can store them in $HOME/.knockrc.

Listing 3

Server Process with

01 $ cat $HOME/.knockrc
03 KNOCK_SECRET="Nuer fuer LM-Leser :-)"
05 $
06 $ LD_PRELOAD=/usr/local/lib64/ ncat -l 4242
07 setting loglvl to 2
08 Initializing hooks ...
09 Resolving symbol socket ...
10 Resolving symbol connect ...
11 Resolving symbol listen ...
12 Resolving symbol write ...
13 Resolving symbol send ...
14 Resolving symbol sendto ...
15 Resolving symbol sendmsg ...
16 Resolving symbol getsockopt ...
17 Resolving symbol close ...
18 Resolving symbol epoll_wait ...
19 Resolving symbol select ...
20 All dynamic symbols could be resolved.
21 socket(2, 1, 6) = 3
22 Socket 3 will be Knockified.
23 Knockified.
24 listen(3, 10) = 0

Listing 3 sets a log-level parameter. A   value tells libknockify not to make so much noise, whereas a value of 3 offers developers maximum verbosity. This is very useful for troubleshooting. A matching shell variable goes by the name of KNOCK_LOGLVL. In our lab, we continually experienced connection failures. When we asked Julian Kirsch about this, he confirmed that the library is only a workaround and that the focus is quite clearly on appropriate modifications in the source code of the application.

What Else?

The "TCP Stealth in Daily Linux Use" box describes modifying the Linux kernel and OpenSSH to use this technology. You will find patches for systemd online [11]. If you feel inclined to do so, you can use the code snippet you find there to modify other network services.

One more network aspect also must be considered. It is not unusual for individual packets to be lost. TCP then ensures that they are resent. If, however, the packet happens to be the first packet in the three-way handshake, à la TCP Stealth, this is fatal. As I described previously, the timestamp plays an important role in computing the ISN. In case of a resent packet, it no longer fits the bill.

The procedure for resending packets is part of the TCP stack. For Linux, this would mean that more changes are required to the kernel. The patch I described already takes the necessary precautions. For sockets that run in TCP Stealth mode, the kernel uses the original timestamp and does not generate a new one.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Port Knocking
    To ensure that the data on your computers remains accessible only by you and those with whom you want to share, we look at the advantages of combining TCP Wrappers and port knocking.
  • Protect Your Servers with Nmap

    If you've ever had to test the security of your servers, you've almost certainly come across the ever-flexible Nmap (Network Mapper) – used by sys admins to help protect their servers and diagnose problems.

  • Customizing PortSentry

    Do you have a sentry to keep an eye on your servers? We’ll show you how to customize PortSentry’s response to suspicious activity.

  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • News for Admins
    In the news: Code execution flaws in PHP; ESET finds malware that targets political activists; bluetooth vulnerability makes spying easy; and open source webmin had backdoor for more than a year;
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.