Changeset 1173

Timestamp:

07/18/08 23:38:39 (5 months ago)

Author:

mbr

Message:

implemented UDP source port randomization by default, and added --Source-port in the fwknop client to override this

Files:

• fwknop/trunk/ChangeLog (modified) (2 diffs)
• fwknop/trunk/fwknop (modified) (6 diffs)

fwknop/trunk/ChangeLog

@@ -1 @@
-
+18
-    - SPA packets are base64-encoded by the fwknop client, and this encoding
-      pads data with '=' chars until the total length of the encoded data is a
@@ -25 +25 @@
-        alert udp any any -> any 62201 (msg:"fwknop GnuPG encrypted SPA
-        traffic"; content:"hQ"; depth:2; dsize:>1000; sid:20080003; rev:1;)
+
+    - Updated the fwknop client to randomize the UDP source port for default
+      SPA packet generation.  There is also a new command line argument
+      --Source-port <port> to allow the user to manually set the source port
+      on the fwknop client command line.  A lot more attention is given now to
+      source ports after the Dan Kaminsky DNS caching exploit, and it turns
+      out that even on Linux that the kernel did not randomize UDP source
+      ports until the 2.6.24 kernel.  Of course, any userspace process is free
+      to request a random port itself, but if a userspace application did not
+      build this in then it would be up to the kernel to assign a source port.
+      In the case of Linux, here are two links that show the change to the
+      kernel code as well as the ChangeLog entry for UDP source port
+      randomization:
+
+        http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;\
+        a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
+        http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24
-
-    - (Test suite): Added the ability to explicitly run major classes of tests

fwknop/trunk/fwknop

@@ -67 +67 @@
-my $knock_dst     = '';
-my $homedir       = '';
+my $min_port      = 10000;
+my $max_port      = 65535;
-my $spoof_src     = '';
-my $server_mode   = 'pcap';
@@ -87 +89 @@
-my $gpg_agent_info = '';
-my $include_salted = 0;
+my $client_src_port = 0;
-my $gpg_default_key = 0;
-my $err_wait_timer  = 30;  ### seconds
@@ -971 +974 @@
-                "over udp/$enc_pcap_port...\n" unless $quiet;
-
+            unless ($client_src_port) {
+                $client_src_port = &rand_port();
+            }
-            unless ($test_mode) {
-                my $socket = IO::Socket::INET->new(
-
-
-
-
+
+
+
+
+
-                ) or die "[*] Could not acquire UDP socket: $!";
-
@@ -1499 +1506 @@
-        'NAT-local'      => \$NAT_local,
-        'NAT-access=s'   => \$NAT_access_str,
+        'Source-port=i'  => \$client_src_port,
-        'Spoof-user=s'   => \$spoof_username,
-        'Spoof-proto=s'  => \$spoof_proto,
@@ -1762 +1770 @@
-
-sub rand_port() {
-10000 + int(rand(55535))
+int(rand($max_port - $min_port)) + $min_port
-}
-
@@ -1856 +1864 @@
-                                 encrypted SPA packet is stored when the
-                                 --Save-packet argument is used.
+    --Source-port <port>       - Fix a specific source port for outgoing SPA
+                                 packets.  This is not usually necessary,
+                                 and the fwknop client randomizes its source
+                                 port by default.
-    --Server-port <port>       - Specify the port number to which to send
-                                 the single authentication packet (this is