Introduction

Ports are like the doors into or out of a network, where information must pass through them to enter or exit an organization’s network. Now, when you knock on a door in physical reality, it is a cue for those on the inside to let you in. Port knocking is a little different: instead of somebody letting you in if you knock, sending packets with the right characteristics will open the port. This has been used as an attack technique and is listed in the MITRE ATT&CK matrix. 

This article will detail the port-knocking attack technique and explore what MITRE ATT&CK is, what port knocking is, where port knocking fits into the overall attack operation, the different ways to port knock and some real-world examples of this attack technique, as well as mitigation and detection techniques for port knocking.


What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based on real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.

What is port knocking?

For information to be passed through a port, said port needs to first be enabled. This is intended as a barrier to malicious activity, but like many other security safeguards, attackers can bypass this minor security measure. Port knocking is what will open up these closed ports and allow information to flow into a previously closed port.

How does port knocking work?

Port knocking works by sending information packets with certain characteristics to a port. These packets of information comprise attempted connections to a predefined selection of closed ports and can include specific strings, unusual flags and other distinctive characteristics. 

Once the selection of ports have had these packets sent to them, port opening is normally performed by the organization’s host-based firewall or other comparable custom software. This has been observed to initiate both dynamic opening of listening ports and connections to listening servers on another system. 

The different ways to port knock

While all port knocking techniques involve sending signal packets to a port to trigger communication, the methods by which they accomplish this task can be different. One method, exemplified by the malicious program Cd00r, sniffs for the packets by using libpcap libraries. Another method enables malware to use open ports used by other programs by leveraging raw sockets. Either method you use, the result is the same — communication can now move through a previously closed port.

Going a step further, there are different types of port knocks. The most commonly used knocks are:

  • Covert knocks
  • Dynamic knocks
  • One-time knocks

Where does port knocking fit into the overall attack operation?

According to MITRE, port knocking fits into the Command-and-Control phase of an attack operation. With Command-and-Control, attackers try to control compromised systems with communication. This communication could include attempts to mimic normal traffic for detection evasion or any other communication that will control a compromised system during an attack.

It should be noted that limiting port knocking to only the Command-and-Control portion of an attack operation may short-sighted. Port knocking has been observed in the Defense Evasion and Persistence phases of an attack and in some cases it may be conceivable to use it to establish initial access. MITRE may not have listed port knocking as an initial access technique because hackers can’t tell if an organization if a device within a target environment is listening for port knocks.

Real-world examples

Chaos

Chaos is a backdoor that was originally part of a rootkit that was active in 2013 called “sebd”. This backdoor performs port knocking by providing a reverse shell that is triggered by packet reception and contains a special string which can be sent to any port.

Umbreon

Umbreon is a Pokemon-themed Linux rootkit that gives backdoor access to attackers and allows them to hide from defenders. It in turn uses a backdoor named Espeon that gives a reverse shell after receipt of a special data packet which provides additional access to attackers.

Mitigation

Not all variants of this attack technique can be mitigated by defenders. With that said, some variants can indeed be mitigated by proper implementation of stateful firewalls.

Detection

The recommended method of detection for pork knocking is recording network packets that are sent to and from a compromised system. Within this network packet traffic, look for extraneous network packets that should not be among the established flow of packets.

Conclusion

Port knocking is an attack technique enumerated in the MITRE ATT&CK Matrix. This technique is used by attackers to open closed ports by sending network packets containing special information and is most used in the Command-and-Control phase of an attack operation. By understanding port knocking, you can better position your organization to effectively respond to this widely-used attack technique.

 

Sources

  1. Port Knocking, MITRE
  2. Chaos: A Stolen Backdoor Rising Again, GoSecure
  3. Get a Handle on cd00r: The Invisible Backdoor, GIAC®️
  4. Pokemon-themed Umbreon Linux Hits x86, ARM Systems, Trend Micro