In commonly deployed firewalls, filtering is done either by the IP address of the connecting host or by the port to which this host is connecting. Firewalls examine and interact with packets before any user authentication takes place; therefore, they do not discriminate amongst the users making the connection. It is expected that once the firewall has approved the packet and allowed it to enter the network, downstream applications will handle user authentication. Normally, this provides a sufficient balance between protection and flexibility. Some IP ranges, say cracker-friendly Internet cafés, may be closed completely to incoming traffic, while hosts in other IP ranges may be allowed to connect to ports otherwise unavailable to the general public (proprietary/sensitive applications). Unfortunately, this type of IP-based filtering has the potential to lock out trusted users from your system. Flexibility is limited by the fact that nobody from the blocked IP ranges can connect, regardless of their trust statuses. At the same time, protection is undermined by the fact that anyone from the blocked IP range physically can travel and connect from an unfiltered host. In the end, as long as ports remain open, network applications are susceptible to attack. Using intrusion detection systems and keeping applications up to date can go a long way towards providing protection, but they do so against only known, derivative or anticipated attacks. To eliminate the risk associated with publically open ports, port knocking provides an authentication system that works across closed ports. The use of these ports, however, has to be subverted because all packets are denied. Fortunately, in most firewalls that perform even the most rudimentary logging, information already is flowing across closed ports in the form of entries in a log file indicating connection attempts. Consider the following example. A handful of ports (100-109) are configured to deny all traffic–no ICMP error packets are sent back to the connecting client–and all attempted connections are logged. In this example, the firewall IP is IPF and the connecting client IP is IPC. The appropriate ipchains command to close the ports and log connections is: ipchains -A input -p tcp -s 0/0 -d IPF/32 100:109 -j DENY -l
A user attempts to connect from IPC to the following firewall ports in sequence: 102,100,100,103. From the point of view of the user, the connections fail silently. On the firewall, though, the 102,100,100,103 number sequence has been recorded. Feb 12 00:13:26 … input DENY eth1 PROTO=6 IPC:64137 IPF:102 …
Feb 12 00:13:27 … input DENY eth1 PROTO=6 IPC:64138 IPF:100 …
Feb 12 00:13:27 … input DENY eth1 PROTO=6 IPC:64139 IPF:100 …
Feb 12 00:13:28 … input DENY eth1 PROTO=6 IPC:64140 IPF:103 …
The knock sequence appears in the firewall log, and the user has transmitted data across the closed ports. Any implementation of the port knocking system needs to provide some basic functionality. First, some way to monitor the firewall log file needs to be devised. A simple Perl application that tails the file is presented in Listing 2, discussed more fully later in the article. Second, a method is required to extract the sequences of ports from the log file and translate their payload into usable information. In this step it is important to be able to (a) detect when a port sequence begins and ends, (b) correctly detect a port sequence in the presence of spurious connection attempts that are not part of the sequence and (c) keep track of multiple port sequences arriving at the same time from different remote IPs. The encoding used to generate the port sequence can be designed to minimize the length of the sequence. For example, the sequence 100,102 could correspond to one or a series of predefined operations (for example, open port ssh/22 for 15 minutes for a specific IP and then close the port). Finally, once the information is derived from the sequence, the implementation must provide some way to manipulate the firewall rules.

Benefits of Port Knocking

One of the key features of port knocking is it provides a stealthy method of authentication and information transfer to a networked machine that has no open ports. It is not possible to determine successfully whether the machine is listening for knock sequences by using port probes. Thus, although a brute-force attack could be mounted to try to guess the ports and the form of the sequence, such breach attempts could be detected easily. Second, because information is flowing in the form of connection attempts rather than in typical packet data payload, without knowing that this system is in place it would be unlikely that the use of this authentication method would be detected by monitoring traffic. To minimize the risk of a functional sequence being constructed by the intercepting party, the information content containing the remote IP of the sequence can be encrypted. Third, because the authentication is built into the port knock sequence, existing applications need not be changed. Implementing one-time passwords is done easily by adjusting the way particular sequences are interpreted. A sequence could correspond to a request that a port be opened for a specific length of time and then closed and never opened again to the same IP. Furthermore, a one-time pad could be used to encrypt the sequence, making it indecipherable by those without the pad.

Disadvantages of Port Knocking

To use port knocking, a client script that performs the knock is required. The client and any associated data should be considered a secret and kept on removable media, such as a USB key. The use of the client imposes an overhead for each connection. Certain locations, such as libraries or Internet cafés, may not allow execution of arbitrary programs. In order to use port knocking, a number of ports need to be allocated for exclusive use by this system. As the number of such ports increases, the knock sequences becomes shorter for a given amount of information payload, because the number of coding symbols is increased. Practically, 256 free privileged ports (in the 1-1024 range), not necessarily contiguous, usually can be allocated and used to listen for port knocks. Finally, any system that manipulates firewall rules in an automated fashion requires careful implementation. For the scenario in which no ports are initially open, if the listening dæmon fails or is not able to interpret the knocks correctly, it becomes impossible to connect remotely to the host.

Applications

In this section, three examples are outlined that illustrate how the port knocking system can be used. 1. Single Port, Fixed Mapping Connection to only one port (ssh/22) is required. The ssh dæmon is running; all privileged ports are closed, including ssh/22; and packets addressed to ports 30,31,32 are being logged. The following port sequences are recognized: 31,32,30 open ssh/22 to connecting IP
32,30,31 close ssh/22 to connecting IP
31,30,32 close ssh/22 to connecting IP and disregard further knocks from this IP
The justifiably paranoid administrator can open the ssh/22 port on his system by initiating TCP connections to ports 31,32,30. At the end of the ssh session, the port would be closed by using the second sequence shown above. If the host from which the administrator is connecting is not trusted (if, say, keystrokes may be snooped), the use of the third sequence would deny all further traffic from the IP, preventing anyone from duplicating the session. This assumes the port sequence and system login credentials are not captured by a third party and used before the legitimate session ends. In this example, only three sequences are understood by the system, as the requirements call for only a handful of well-defined firewall manipulations. The sequences were chosen not to be monotonically increasing (30, 31, 32), so they would not be triggered by remote port scans. If multiple ports are to be protected by this system, a mapping needs to be derived between the port sequence and a flexible firewall rule. This is covered in the next example. 2. Multiple Port, Dynamic Mapping In this example, a network may be running any number of applications. Ports 100-109 are used to listen to knocks. The port sequence is expected to be of the form: 102,100,110 10a,10b,10c,10d 10(a+b+c+d mod 10) 110,100,102
header payload checksum footer
The first and last three ports let the port knocking dæmon know that a sequence is starting and ending. The next four ports encode the port (abcd) to be opened. For example, if a connection to port 143 is required, the sequence would be 100,101,104,103. The final element in the sequence is a checksum that validates the sequence payload. In this example, the checksum is 8 (1+4+3 mod 10). The sequence element therefore is 108, and the full sequence would be 102,100,103 100,101,104,103 108 103,100,102
When this sequence is detected, port 143 would be made available to the incoming IP address. If the port is open already, the knock would rendered it closed. The knock can be extended to include additional information, such as an anticipated session length, that can be used to close the port after a set amount of time. 3. Mapping with Encryption The information contained in the knock sequence can be encrypted to provide an additional measure of security. In this example, 256 ports are allocated and logged. A knock map of the form remote IP port time checksum
is used where the remote IP, port, time and checksum (sum of other fields mod 255) are encrypted. The encrypted string can be mapped onto eight unsigned chars using Perl’s pack(“C*”,STRING) command, see Listing 1. Listing 1. Mapping the Encrypted String

Implementation

A minimal prototype Perl implementation of port knocking is presented. The implementation is comprised of a knockclient, responsible for originating the knock sequence, and a knockdæmon, responsible for monitoring the firewall log and manipulating the rules.

Knockclient

The complete client is shown in Listing 1. Lincoln Stein’s Crypt::CBC module is used as proxy to Crypt::Blowfish to carry out encryption. The unencrypted knock sequence is comprised of seven values: four IP bytes, a port (limited to the range 0-255 in this implementation), a time flag and a checksum (mod 255). The time flag determines how the dæmon reacts: 0 to open the port, 255 to close the port and any other value in the 1-254 range to open the port and then close it after that many minutes. The knock on the firewall (IP=IPF) to open port ssh/22 on IP=IPC and then have the port close after 15 minutes would be executed by calling the client as follows: knockclient -i IPC -r IPF -p 22 -t 15
The client packs the list of seven integers, performs the encryption and unpacks the string into unsigned chars (0-255). These values are then mapped onto a sequence of ports in the 745-1000 range.

Knockdæmon

The knockdæmon is shown in Listing 2. This application uses File::Tail to look for new lines in the firewall log file. Lines corresponding to connection attempts to ports 745-1000 are parsed for the remote IP and port number. An 8-element queue storing the ports is maintained for each incoming IP. When the queue size reaches 8, its contents are decrypted. If the decryption is successful and the checksum is correct, appropriate action is taken and the queue is cleared. If the decryption fails, the oldest queue port element is removed and the dæmon continues monitoring. Listing 2. knockdæmon The firewall rules are manipulated by a system call to the ipchains binary, although the IPChains Perl module by Jonathan Schatz also may be used. If the port is to be closed, as indicated by the time flag, Jose Rodrigues’ Schedule::At module is used to schedule the deletion of the rule using the at queue system.

Conclusion

Port knocking is a stealthy authentication system that employs closed ports to carry out identification of trusted users. This novel method provides the means of establishing a connection to an application running on a completely isolated system on which no ports initially are open.

Related Article : All Bout Port Knocking

In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s).

Most portknocks are stateful systems in that if the first part of the “knock” has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.
While this technique for securing access to remote network daemons has not yet been widely adopted by the security community, it has been integrated in newer rootkits.

Step 3

Step 4

How Port knocking works in theory

Step 1 (A) Client cannot connect to application listening on port n; (B) Client cannot establish connection to any port.

Step 2 (1,2,3,4) Client tries to connect to a well-defined set of ports in sequence by sending certain packets; Client has prior knowledge of the port knocking daemon and its configuration, but receives no acknowledgement during this phase because firewall rules preclude any response.

Step 3 (A) Server process (a port knocking daemon) intercepts connection attempts and interprets (decrypts and decodes) them as comprising an authentic “port knock”; server carries out specific task based on content of port knock, such as opening port n to the client.

Step 4 (A) Client connects to port n and authenticates using application’s regular mechanism.

Benefits of port knocking

Consider that, if an external attacker did not know the port knock sequence, even the simplest of sequences would require a massive brute force effort in order to be discovered. A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened. As a stateful system, the port would not open until after the correct three-digit sequence had been received in order, without other packets in between.

That equates to approximately 655354 packets in order to obtain and detect a single successful opening. That’s approximately 18,445,618,199,572,250,625 or 18 million million million packets. On the average attempt it would take approximately 9 million million million packets to successfully open a single, simple three-port TCP-only knock by brute force. This is made even more impractical when knock attempt-limiting is used to stop brute force attacks, longer and more complex sequences are used and cryptographic hashes are used as part of the knock.

When a port knock is successfully used to open a port, the firewall rules are generally only opened to the IP address that supplied the correct knock. This is similar to only allowing a certain IP whitelist to access a service but is also more dynamic. An authorised user situated anywhere in the world would be able to open the port he is interested in to only the IP that he is using without needing help from the server administrator. He would also be able to “close” the port once he had finished, or the system could be set up to use a timeout mechanism, to ensure that once he changes IP’s, only the IP’s necessary are left able to contact the server. Because of port knocking’s stateful behaviour, several users from different source IP addresses can simultaneously be at varying levels of the port knock. Thus it is possible to have a genuine user with the correct knock let through the firewall even in the middle of a port attack from multiple IP’s (assuming the bandwidth of the firewall is not completely swamped). To all other IP addresses, the ports still appear closed and there is no indication that there are other users who have successfully opened ports and are using them.

Using cryptographic hashes inside the port knock sequence can mean that even sniffing the network traffic in and out of the source and target machines is ineffective against discovering the port knock sequence or using traffic replay attacks to repeat prior port knock sequences. Even if somebody did manage to guess, steal or sniff the port knock and successfully use it to gain access to a port, the usual port security mechanisms are still in place, along with whatever service authentication was running on the opened ports.

The software required, either at the server or client end, is minimal and can in fact be implemented as simply as a shell script for the server or a Windows batch file and a standard Windows command line utility for the client. Overhead in terms of traffic, CPU and memory consumption is at an absolute minimum. Port knock daemons also tend to be so simple that any sort of vulnerability is obvious and the code is very easily auditable. With a portknock system in place on ports such as the SSH port, it can prevent brute force password attacks on logins. The SSH daemon need not even wake up as any attempt that is made without the correct portknock will bounce harmlessly off the TCP/IP stack rather than the SSH authentication. As far as any attacker is concerned, there is no daemon running on that port at all until he manages to correctly knock on the port. The system is completely customisable and not limited to opening specific ports or, indeed, opening ports at all. Usually a knock sequence description is tied with an action, such as running a shell script, so when a specific sequence is detected by the port knock daemon, the relevant shell script is run. This could add firewall rules to open ports or do anything else that was possible in a shell script. Many portknocks can be used on a single machine to perform many different actions, such as opening or closing different ports.

Due to the fact that the ports appear closed at all times until a user knowing the correct knock uses it, port knocking can help cut down not only on brute force password attacks and their associated log spam but also protocol vulnerability exploits. If an exploit was discovered that could compromise SSH daemons in their default configuration, having a port knock on that SSH port could mean that the SSH daemon may not be compromised in the time before it was updated. Only authorised users would have the knock and therefore only authorised users would be able to contact the SSH server in any way. Thus, random attempts on SSH servers by worms and viruses trying to exploit the vulnerability would not reach the vulnerable SSH server at all, giving the administrator a chance to update or patch the software. Although not a complete protection, port knocking would certainly be another level of defense against random attacks and, properly implemented, could even stop determined, targeted attacks.

Port knocking generally has some disregard in the security world, given that early implementations basically consisted of a number of ports that had to be hit in order. However, the best of modern portknock systems are much more complex, some using highly secure cryptographic hashes in order to defeat the most common attacks (such as packet sniffing and packet replay). Additionally, portknock systems can include blacklists, whitelists and dynamic attack responses as can any internet service, however, even the simplest of port knocks controls access to a system before attackers are able to hit a service that allocates memory, CPU time or other significant resources and also acts as a barrier against brute-force attempts, automated vulnerability exploits, etc. Also, port knocking does not generally lower the security of a system overall. Indeed, it provides another layer of security for minimal overhead. In a worst case scenario however, the port knocking software introduced a new security problem or lowers security due to risk compensation.

i liked to share this information its really Knowledgeable

http://en.wikipedia.org/wiki/Port_knocking

Heres d Complete list !!

1. funnel.com
2. http://1208930645
3. https://www.orkut.com
4. www.your-freedom.in
5. http://www.cooltunnel.com/
6. http://www.browseatwork.com
7. http://www.proxify.com
8. http://www.novalok.net
9. http://bypass.4clever.com/
10. www.b3u.net
11. www.hidemyass.com
12. www.mathcookbook.com
13. http://www.guardster.com/subscription/proxy_free.php
14. www.anonymouse.org
15. www.tinyurl.com/ntbam
16. www.ghostproxy.com
17. www.papertigershark.com
18. http://www.iphide.co.uk
19. http://www.hackersproof.com
20. http://www.kcoolonline.com
21. http://www.ghostsurfing.co.uk
22. www.anonycat.comwww.birdsflyfast.com
23. www.browseatwork.com
24. http://rapidwire.net
25. http://62.193.247.221/
26. . http://prox30.com
27. http://www.privax.us
28. http://www.etary.com
29. http://s1.iphide.com
30. http://proxiesrus.com
31. http://www.surfindark.com
32. http://www.navydog.com
33. http://falsario.com
34. http://www.cheekyproxy.com
35. http://www.funkyproxy.com
36. http://www.surfsneaker.com
37. http://www.proxii.com
38. http://www.proxynumber1.com (Replace 1 with any number between 1 to 10)
39. http://myspaceproxyy.com
40. http://tenpass.com
41. http://www.browsesneaky.com
42. http://www.proogle.info
43. http://greatproxy.info
44. http://www.realproxy.info
45. http://aplusproxy.com
46. http://www.ecoproxy.com
47. http://proxiesrus.com/
48. http://www.navydog.com
49. www.cheekyproxy.com
50. www.funkyproxy.com
51. www.surfsneaker.com
52. www.proxii.com
53. http://myspaceproxyy.com
54. http://tenpass.com
55. www.ecoproxy.com
56. http://www.browsehidden.com/
57. http://www.surfsneaky.com/
58. http://www.filterhide.com/
    

The emergence of spy-phishing as a significant element in the threat landscape stems, in part, from a shift in the intent of malware writers, as well as a number of technological advances these writers have recently made. Whereas previous generations of malware writers developed their programmes chiefly to show off their expertise and gain bragging rights among their peers, most writers are now more interested in financial gain. Some create spyware programmes to steal credit card numbers, account log-ins, or a variety of other types of personal information. Others develop and/or enhance bot networks, which are then sold or leased to other individuals or groups, as a way of launching their programmes. Still, others phish for personal information either to use for themselves or to sell to others.

“Spy-phishing is really just another section under the category of crimeware, which can be defined as anything that causes financial or intellectual loss,” explained Jamz Yaneza, senior threat researcher at Trend Micro.

Spy-phishing’s direct antecedents are spyware, phishing, and backdoor Trojans.

Spyware — software that secretly installs itself on a user’s computer and runs in the background – is designed to log personal information without the user’s knowledge. The 5 per cent of spyware that can be considered to be malicious in intent is intended solely to steal passwords, bank account information, credit card numbers, social security numbers, and other forms of sensitive information – then use that information for illegal purposes.

Phishing – in which the identity of a target organisation is stolen in order to steal the identities of unsuspecting customers of the target company – frequently uses professional-looking, HTML-based e-mails that include company logos, font styles, colours, graphics, and other elements to successfully spoof the supposed sender. Most also contain a link to a Web site, which is nearly always an exact replica of the spoofed site, to lure users into parting with their personal information. Backdoor Trojans are malware programmes that perform unexpected or unauthorised actions on the user’s computer – and enable unauthorised access by remote systems.

“Spy-phishing is a blended threat,” said Yaneza. “It uses phishing techniques to initially present itself to users, then typically engages a host of other techniques and exploits to surreptitiously download and install spyware applications in the background. These applications oftentimes download additional spyware applications to further extend their functionality.”

According to data collected by Trend Micro, the amount of Trojan spyware such as that employed in spy-phishing attacks has been steadily increasing. According to the Trend Micro Trojan Spyware Index, the incidence of Trojan spyware has increased by over 250 per cent over the past 16 months. Similarly, according to a report published by the Anti-Phishing Working Group, an average of more than 188 new samples of Trojan spyware have been utilised in spy-phishing attacks each month in the first four months of 2006 – a 234 per cent increase over the same period in 2005.

Spy-phishing offers malicious authors a variety of applications and uses. While consumers and other individual end users are an obvious target, the potential uses for spy-phishing technologies and techniques go far beyond this group. Enterprises and their employees have even more to lose from spy-phishing exploits.

“Businesses of all sizes are potentially at risk, as spy-phishing can also just as easily be utilised for corporate espionage,” added Yaneza. “In fact, due to the Trojan components, and the long-term stealth capabilities they employ, the threat to sensitive corporate information is perhaps greater than is the risk to the individual, if only due to the magnitude of the potential for loss.”

Beware !!