Community discussions

MikroTik App
 
coylh
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Tue Jul 12, 2011 12:11 am

Ping Knock

Wed Apr 25, 2018 7:05 pm

With the management protocol vulnerabilities, there's been an interest in port knocking. I've been playing around with an alternative using icmp packet sizes as the key. I call it Ping Knocking.
# Choose some random ping packet sizes of at least 100 as a knock sequence.
# Add 28 to the size in the firewall to compensate for protocol overhead.
# After a matching knock sequence, services will be allowed for an hour from your src ip.

/ip firewall filter
# Place this rule early in the list.
add action=jump chain=input comment="Check port knock" icmp-options=8:0-255 jump-target=knock packet-size=!0-99 protocol=icmp


add action=accept chain=input comment="ACCEPT TLS after knock" dst-port=443 protocol=tcp src-address-list=KNOCK-SUCCESS
add action=accept chain=input comment="ACCEPT SSH after knock" dst-port=22 protocol=tcp src-address-list=KNOCK-SUCCESS


add action=return chain=knock comment="KNOCK FAILURE return" src-address-list=KNOCK-FAILURE

add action=add-src-to-address-list address-list=KNOCK-SUCCESS address-list-timeout=1h chain=knock comment="KNOCK 3rd - success 600" packet-size=628 src-address-list=KNOCK2
add action=return chain=knock comment="KNOCK 3rd - success return" src-address-list=KNOCK-SUCCESS

add action=add-src-to-address-list address-list=KNOCK-FAILURE address-list-timeout=1m chain=knock comment="KNOCK 3rd - failure" src-address-list=KNOCK2
add action=return chain=knock comment="KNOCK 3rd - failure return" src-address-list=KNOCK-FAILURE

add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=1m chain=knock comment="KNOCK 2nd - success 500" packet-size=528 src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - success return" src-address-list=KNOCK2

add action=add-src-to-address-list address-list=KNOCK-FAILURE address-list-timeout=1m chain=knock comment="KNOCK 2nd - failure" src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - failure return" src-address-list=KNOCK-FAILURE

add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=1m chain=knock comment="KNOCK 1st - success 400" packet-size=428
add action=return chain=knock comment="KNOCK 1st - success return" src-address-list=KNOCK1

add action=add-src-to-address-list address-list=KNOCK-FAILURE address-list-timeout=1m chain=knock comment="KNOCK 1st - failure"

The advantage of this strategy is that you don't need special knocking software. You can use a command line ping utility, or simple batch file on Windows:
@echo off
set destination=%1

rem Command Syntax: knock.bat hostname
ping -f -n 1 -l 400 %destination% >nul
ping -f -n 1 -l 500 %destination% >nul
ping -f -n 1 -l 600 %destination% >nul
echo Address specified: %destination%
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: Ping Knock

Wed Apr 25, 2018 8:32 pm

Very innovative idea. Thank you for sharing.
 
sindy
Forum Guru
Forum Guru
Posts: 5398
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ping Knock

Wed Apr 25, 2018 8:51 pm

Thanks a lot for the idea. It's one of those where one asks himself "how it hasn't come to my own mind, it's so obvious" :-D
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Thu Oct 26, 2017 11:18 pm

Re: Ping Knock

Wed Apr 25, 2018 11:49 pm

Well this deserves a page in the wiki or even forum pin
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: Ping Knock

Thu Apr 26, 2018 12:01 am

Very client friendly concept. However, I don't understand why all the different "action=return" rules and the ordering in the knock section.

I am new to this, but what is wrong with just this:
/ip firewall filter
# Place this rule early in the list.
add chain=input action=jump comment="Check port knock" icmp-options=8:0-255 packet-size=!0-99 protocol=icmp jump-target=knock 

add chain=input action=accept comment="ACCEPT WINBOX after knock" dst-port=8291 protocol=tcp src-address-list=KNOCK-SUCCESS
add chain=input action=accept comment="ACCEPT SSH after knock" dst-port=22 protocol=tcp src-address-list=KNOCK-SUCCESS
I made sure to put the very first rule above the default "defconf: accept ICMP" rule.

Then,

/ip firewall filter
add chain=knock action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=1m comment="KNOCK 1st - success 400" packet-size=428
add chain=knock action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=1m comment="KNOCK 2nd - success 500" packet-size=528 src-address-list=KNOCK1
add chain=knock action=add-src-to-address-list address-list=KNOCK-SUCCESS address-list-timeout=1h comment="KNOCK 3rd - success 600" packet-size=628 src-address-list=KNOCK2
add chain=knock action=return comment="KNOCK FAILURE return"

I had to add a delay between knocks in the client batch file for the knocks to be seen reliably by the router:
ping -n 11 127.0.0.1 > nul % This is a delay of 10s %

Thank you, this seems to work for me.
Last edited by squeeze on Thu Apr 26, 2018 1:28 am, edited 5 times in total.
 
msatter
Forum Guru
Forum Guru
Posts: 1721
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Ping Knock

Thu Apr 26, 2018 12:24 am

Use a short period of one minute timeout to connect after knocking. Keep te connection by using established.

This way any parallel hackers on the same source IP have less than a minute to do harm.

After you disconnect established is over and you have to nock again to get in.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.14
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: Ping Knock

Thu Apr 26, 2018 1:22 am

Use a short period of one minute timeout to connect after knocking. Keep te connection by using established.

This way any parallel hackers on the same source IP have less than a minute to do harm.

After you disconnect established is over and you have to nock again to get in.

Would that work reliably for people who connect to www and www-ssl services (not that I do, but I just wondered)?
 
Sob
Forum Guru
Forum Guru
Posts: 5612
Joined: Mon Apr 20, 2009 9:11 pm

Re: Ping Knock

Thu Apr 26, 2018 3:35 am

That's a question. Http allows to keep connection open and reuse it for further requests. Web server in RouterOS looks like it supports it. But browsers usually use more than one connection for same server and you have no guarantee that all will stay open. And when access for new connections from client times out and it happens that browser will need to open new connection, it will fail. So it might work, but I wouldn't bet on reliability.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
coylh
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Tue Jul 12, 2011 12:11 am

Re: Ping Knock

Fri Apr 27, 2018 7:46 pm

Very client friendly concept. However, I don't understand why all the different "action=return" rules and the ordering in the knock section.

I was attempting to get specific behavior. It appears that some of the knock strategies accept the port sequence with any number of incorrectly guessed ports in between. In other words, a full port scan three times will succeed in opening the management ports. I wanted something that demanded exactly the correct sequence, and would reject a user that offered anything other than the correct sequence. This should provide about 31 bits of entropy (log2(1370^3)) for a guesser to deal with, at a rate of one guess per minute. Enough to cause difficulties for the bots anyway.
 
User avatar
eworm
Long time Member
Long time Member
Posts: 613
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Ping Knock

Tue May 08, 2018 12:06 pm

Thanks for this, really a nice idea!

Let me add another goody... With openssh (on linux, so different ping arguments) you can add your knocking to ssh configuration:
Host routerboard.example.com
        ProxyCommand sh -c 'ping -c 1 -s 400 %h && ping -c 1 -s 500 %h && ping -c 1 -s 600 %h && exec nc %h %p'                                                                                                                                
        User admin
Now just ssh to routerboard.example.com.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
eworm
Long time Member
Long time Member
Posts: 613
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Ping Knock

Wed May 09, 2018 8:51 am

BTW, this works for IPv6 as well if you make some little modifications:
  • Use protocol=icmpv6 and icmp-options=128:0-255
  • Add another 20 bytes to packet sizes (IPv6/ICMPv6 headers are 48 bytes vs. 28 bytes for IPv4/ICMP)
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
sindy
Forum Guru
Forum Guru
Posts: 5398
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ping Knock

Wed May 09, 2018 11:19 am

I envy you the quality of the networks between which you move, I would be afraid to send just a single packet per size because it could be lost :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
coylh
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Tue Jul 12, 2011 12:11 am

Re: Ping Knock

Fri May 11, 2018 10:18 pm

I envy you the quality of the networks between which you move, I would be afraid to send just a single packet per size because it could be lost :-)
Even with the timeout as provided, the penalty of a lost packet is only that you must wait one minute. You're also free to change the timing to a smaller duration.

Out of curiosity, what kind of network are you on that you're unlikely to get three ping packets across?
 
sindy
Forum Guru
Forum Guru
Posts: 5398
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ping Knock

Fri May 11, 2018 10:27 pm

Out of curiosity, what kind of network are you on that you're unlikely to get three ping packets across?
Various ones, that's the point. When in one of my domestic networks I don't need road warrior setups; when roaming I'm glad to have some connection at all - mobile, hotel wifi etc. and these can be far from perfect in various parts of the world.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 631
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Ping Knock

Sat Jun 01, 2019 8:07 pm

Hy all,

I know I'm rehashing an old post, but this issue has me stumped.

I have done the same thing for demo purposes for the longest time. I'm doing this again this morning and it doesn't work.

A bit of troubleshooting and I realize that the ICMP-TIMEOUT in conntracking is the issue. If I reduce that value to 2 secondes and add a "ping 127.0.0.1 -n 5" in my batch file, then everything works as expected.

Two questions:

1- Did something change in recent versions that I missed?
2- Is there an impact at shortening ICMP-TIMEOUT?

Best regards,
___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Thu Oct 26, 2017 11:18 pm

Re: Ping Knock

Sat Jun 01, 2019 8:29 pm

A bit of troubleshooting and I realize that the ICMP-TIMEOUT in conntracking is the issue. If I reduce that value to 2 secondes and add a "ping 127.0.0.1 -n 5" in my batch file, then everything works as expected.
Isn't because you are using connection-state=new?
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 631
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Ping Knock

Sat Jun 01, 2019 9:21 pm

Thanks for getting back to me so fast.

I'm not using that field. As I inspect the conntrack table, I see my ICMP connection there for 10 secs even though my ping only sent one packet. This is why my other pings are not seen by the other filters as the routeur thinks it's still the same connection.

I would have guessed that once the ping stops, so does the connection, but not the case :(

Cheers,
___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
sindy
Forum Guru
Forum Guru
Posts: 5398
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ping Knock

Sat Jun 01, 2019 10:35 pm

@AlainCasault, from what you wrote I've also suspected that something else must have changed.

The timeout (defaulting to 10s) is there to allow ping request and responses with the same value in the identifier field to be recognized to belong to the same connection. The ping utility of most operating systems sends one request per second by default. That means that with a 2s timeout in the connection tracker, a single lost ping request from a sequence may be enough for the connection to disappear from the connection tracking, but that would only cause some trouble in very specific cases (not related to the knocking).

As a separate instance of the ping utility is started in the batch for each packet size, each should send the request with a different identifier value, so even though it is sent from the same source IP to the same destination, each should create its own tracked connection, which is what @coylh's state automaton relies on - although the firewall rules matching ping packets by size don't explicitly check connection-state=new, they do implicitly because they follow the chain=input action=accept connection-state=established one, so any ICMP echo request packet matching an already established connection is accepted by that one and never reaches those following rules which check the packet size.

As this is what must be happening in your case and can be affected by reducing the ICMP timeout in the connection tracking settings, there are two possibilities - either your client side OS has started to send the same ID in all requests, or Mikrotik's connection tracking stopped checking the identifier value.

So I've made a test on 6.44.3, and the outcome is that while the connection tracking does check the identifier value, the ping "client" in RouterOS only changes (increments) the identifier value if it hasn't sent any outgoing echo request for some 15 seconds, and it even reuses the same identifier value for pinging any destination. Plus the sequence numbers in the requests do not start from 1, but that may not be exactly wrong, I haven't studied the RFC.

The reuse of the identifier value is definitely a bug worth reporting, so according to the rule "you're affected, you report it" it is your call now to double-check my observations and open a ticket at support@mikrotik.com.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 631
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Ping Knock

Sun Jun 02, 2019 11:11 pm

@sindy,

Thanks for the feedback. I'll run some tests and will report my findings on the trouble ticket.

Best regards,

AC
___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1754
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Ping Knock

Tue Jul 23, 2019 11:07 am

The advantage of this strategy is that you don't need special knocking software.
Interesting idea, but you do not need spesial tool to do port knocking.

To port knock on my router, i do open three web site, one by one. Port number is just an example port.
http://my-router-ip:44444
http://my-router-ip:33333
http://my-router-ip:22222
This also works fine on my phone.
Using this ping -f -n 1 -l 400 %destination% >nul on phone is more complicated :)
Last edited by Jotne on Tue Jul 23, 2019 12:22 pm, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 6675
Joined: Mon Jun 08, 2015 12:09 pm

Re: Ping Knock

Tue Jul 23, 2019 11:18 am

That, and also I think it would be better in the above to allow not a single ping size, but a range of sizes.
The length parameter on the ping can have different meanings depending on the program used to send the ping!
Sometimes it is the total packet size (e.g. when using ping from a MikroTik router), sometimes it is the size of the payload only (so a header is added to it, 28 bytes for IPv4).
That makes it a little confusing...

Who is online

Users browsing this forum: Halfeez92, knowledgemonster, la2185x and 161 guests