TCP Stealth hides open ports

TCP Camouflage

Conclusions and Outlook

TCP Stealth looks pretty promising. The project website has comprehensive and useful documentation. Sample programs and prepared patches make it easy to get started. In contrast to alternatives such as SilentKnock, TCP Stealth has far less trouble with Network Address Translation, which makes it more attractive. The integrity check to prevent man-in-the-middle attacks is also something that is not to be sniffed at.

Inquisitive users could also take a look at the Bridge SPA [19] or Knockknock [20] projects. What remains at the end of the day is the limitation to TCP as the transport protocol. The project presented here could take a decisive step forward if it does manage to make it into the Linux kernel.

Infos

  1. Netcat: http://netcat.sourceforge.net
  2. Nmap: http://nmap.org
  3. Port knocking implementations; http://www.portknocking.org/view/implementations
  4. "Remote Access Security with Single-Packet Port Knocking" by Juliet Kemp, Linux Magazine , June 2008: http://www.linux-magazine.com/Issues/2008/91/Single-Packet-Port-Knocking/(language)/eng-US
  5. "The Sys Admin's Daily Grind: Knockd" by Charly Kühnast, Linux Magazine , September 2008: http://www.linux-magazine.com/Issues/2008/94/Charly-s-Column/(language)/eng-US
  6. "The Sys Admin's Daily Grind: Single-Packet Authentication" by Charly Kühnast, Linux Magazine , October 2008: http://www.linux-magazine.com/Issues/2008/95/KEY-EXPERIENCE/(language)/eng-US
  7. Project Knockd: http://www.zeroflux.org/projects/knock
  8. Stealth draft: http://tools.ietf.org/html/draft-kirsch-ietf-tcp-stealth-00
  9. IETF: http://www.ietf.org
  10. TU Munich: http://www.tum.de/en/homepage/
  11. TCP Stealth project website: http://gnunet.org/knock
  12. Julian Kirsch master's thesis: http://gnunet.org/sites/default/files/ma_kirsch_2014_0.pdf
  13. SilentKnock: http://www-users.cs.umn.edu/~hopper/silentknock_esorics.pdf
  14. Covert channels: http://firstmonday.org/ojs/index.php/fm/article/view/528/449
  15. MD5: http://tools.ietf.org/html/rfc1321
  16. Discussion on the kernel mailing list: http://lkml.org/lkml/2013/12/10/1155
  17. New program version: http://github.com/useidel/knock
  18. TCP Stealth and OpenSSH: http://www.youtube.com/watch?v=7CadOVTNxr4
  19. Bridge SPA: http://www.cypherpunks.ca/~iang/pubs/bridgespa-wpes.pdf
  20. Knockknock: http://www.thoughtcrime.org/software/knockknock

The Author

Dr. Udo Seidel is a teacher of math and physics. After completing his Ph.D., he worked as a Linux/Unix trainer, system administrator, and senior solution engineer. He is now the leader of a Linux/Unix team at Amadeus Data Processing GmbH in Erding, Germany.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Port Knocking
    To ensure that the data on your computers remains accessible only by you and those with whom you want to share, we look at the advantages of combining TCP Wrappers and port knocking.
  • Protect Your Servers with Nmap

    If you've ever had to test the security of your servers, you've almost certainly come across the ever-flexible Nmap (Network Mapper) – used by sys admins to help protect their servers and diagnose problems.

  • Customizing PortSentry

    Do you have a sentry to keep an eye on your servers? We’ll show you how to customize PortSentry’s response to suspicious activity.

  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • News for Admins
    In the news: Code execution flaws in PHP; ESET finds malware that targets political activists; bluetooth vulnerability makes spying easy; and open source webmin had backdoor for more than a year;
comments powered by Disqus