ALDABAD(8) Aldaba Server Reference Guide ALDABAD(8) NAME aldabad - Single Packet Authorization and Port Knocking server SYNOPSIS aldabad [Options] DESCRIPTION Aldaba is an open-source Port Knocking and Single Packet Authorization system. This document describes the latest version of Aldaba Server, part of the Aldaba Suite, available from http://www.aldabaknocking.com OPTIONS SUMMARY The following option summary is the output of Aldaba Server when run with no arguments. It´s a quick cheatsheet that lists the most common options. Aldaba Knocking Server 0.2.1 - (C) Luis MartinGarcia, 2010. http://www.aldabaknocking.com || aldabaknocking@gmail.com Usage: aldabad [Options] Parameters: -P, --passphrase : Passphrase used to generate the crypto keys. Options: --pk, --spa : Technique ["PK", "SPA"(default)]. -t, --target-ports : Sequence of dest ports [comma separated list]. -f, --field : Covert channel protocol header field. -c --cipher : Encryption algorithm ["Twofish", "AES", ...] -i, --interface : Network interface to listen on. -v, --verbosity : Level of verbosity [0-9 (Default)]. -l, --logging : Logging level [0-9]. -4, --ipv4 : Use IP version 4 addresses -6, --ipv6 : Use IP version 6 addresses -C, --config : Read configuration from file. -I, --interactive : Run interactively, not as a system daemon. -h, --help : Display usage information. -V, --version : Display current version. --promiscuous : Put network interface intro promiscuous mode Examples: aldabad -P "Squeamish Ossifrage" aldabad -t 3,14,159,2653 -v9 -i eth1 aldabad -6 --cipher twofish --promisc For more information please refer to manual page aldabad(8). MODES OF OPERATION --spa (Single Packet Authorization Mode) This option tells Aldaba Server to run in SPA mode. Single Packet Authorization is the technique that allows users request access to a given port number on the server, using a single authentication message. That message, called the SPA authentication message, is transmitted to the server in a single UDP datagram. This technique provides strong authentication and is the default operation mode in Aldaba. --pk (Port Knocking Mode) This option tells Aldaba Server to run in PK mode. Like SPA, Port Knocking lets users request access to a given port. However, the authentication message is transmitted stealthily, dividing it, and encoding each part in the headers of a TCP SYN packet. Port Knocking authentications are more difficult to detect from an attacker´s point of view. However, the security provided by this technique is often weaker than in SPA. SINGLE PACKET AUTHORIZATION -t port, --target-port port (Set target port number) This option specifies the destination port number that incoming SPA messages are expected to be directed to. If no port is supplied, Aldaba will pick one automatically, based on the supplied passphrase. PORT KNOCKING -t ports, --target-ports ports (Set knock sequence) List of expected knocks. These should be the same ports used by Aldaba Client. The list should be comma separated and have no spaces in it (eg: -t 1337,2600,8086,6800). Also, ports must be unique. The number of ports needed depends on the type of authentication and the header field that is used to create the covert channel. If you don´t supply the correct number of ports Aldaba will tell you how many is expecting. Note that this parameter is completely optional and may safely be omitted. When not supplied, the sequence of ports is generated automatically, deriving it from the supplied passphrase. A give passphrase will always produce the same port sequence, in both client and server. -f id, --field id (Set covert channel header field) This option specifies the protocol header field used by the client to encode the PK authentication message. Currently the following fields are available: ip-tos IPv4 Type of Service. (8 bits). ip-id IPv4 Identification. (16 bits). tcp-ack TCP Acknowledgement Number (32 bits) tcp-seq (Default) TCP Sequence Number (32 bits) tcp-sport TCP Source Port (16 bits) tcp-win TCP Window Size (16 bits) tcp-urp TCP Urgent Pointer (16 bits) -A type, --auth type (Set authentication strength) This option specifies the strength and security of the authentication. Currently there are two different possibilities: light (Default) Light authentication provides basic, but fast and effective client authentication. It requires very few packets to be sent to the server, minimizing the risk of packet loss and providing a good response time. However, although the the security of this authentication may be enough for some cases, it can be broken by skilled attackers. Systems that require high levels of security should use the strong authentication discussed below. strong Strong authentication provides a much more secure and robust client authentication. It requires the transmission of a higher number of packets, which increases the risk of packet loss, but provides effective protection against replay attacks, and significantly reduces the risk of poisoning attacks. Systems that require high levels of security should use this type of authentication. CRYPTOGRAPHY OPTIONS -P string, --passphase string (Set passphrase) Passphrase to be used to generate the necessary cryptographic keys (one for message authentication and one for message encryption). It must be at least 8 characters long and have a maximum of 256 characters. If it contains spaces, it should be enclosed in double quotes (e.g: -P "Use this to encrypt it all"). Special characters should be escaped using a backslash. Passphrases longer than 256 characters are valid but will be truncated. Cryptographic keys are derived from this passphrase using the PBKDF2 algorithm. If no passphrase is supplied, it will be asked interactively (providing interactive mode is set). -c, --cipher (Set encryption algorithm) Algorithm to be used to encrypt authentication data. Currently the following algorithms are supported: Blowfish Symmetric ; 64-bit block size ; Very Fast. Rijndael Symmetric ; 128-bit block size ; Fast ; AES Standard. (DEFAULT) Serpent Symmetric ; 128-bit block size ; Medium ; AES Contest finalist (2nd position) Twofish Symmetric 128-bit block size ; Fast ; AES Contest finalist (3rd position) All algorithms use 256-bit keys. Note that Port Knocking mode with Light authentication MUST it Blowfish because it requires a block size of 64 bits. NETWORKING OPTIONS -i name, --interface name (Set network interface) This option sets the network interface that should be used to capture incoming packets. Any network interface supported by libpcap can be used. If no interface is specified Aldaba Server will try to use the most suitable one. --promiscuous (Set promiscuous mode) Puts the network card into promiscuous mode. By default the network interface is left in non-promiscuous mode, unless it was already in promiscuous mode. OUTPUT OPTIONS -v[level], --verbose [level] (Increase or set verbosity level) Increases the verbosity level, causing Aldaba to print more information during its execution. There are 9 levels of verbosity (0 to 8). Every instance of -v increments the verbosity level by one (from its default value, level 4). Every instance of option -q decrements the verbosity level by one. Alternatively you can specify the level directly, as in -v3 or -v-1. These are the available levels: Level 0 No output at all. Level 1 Parsing Error messages. Level 2 Fatal error messages. (Default). Level 3 Warnings. Level 4 Information about knocking attempts. Level 5 Information about current configuration. Level 6 Important debug information. Level 7 Any debug information. Level 8 Reserved for future use. Level 9 Reserved for future use. -q[level], --reduce-verbosity [level] (Decrease verbosity level) Decreases the verbosity level, causing Aldaba to print less information during its execution. -l[level], --logging [level] (Set logging level) Controls the level of logging. Logs are sent via syslog. Entries use the prefix "aldabad" and the current PID of the process. There are 10 different levels (0 to 9). Higher levels include all lower levels. Level 0 No logging at all. Level 1 Failed authentication attempts. Level 2 Successful authentication attempts. Level 3 Fatal error messages. (Default). Level 4 Warnings. Level 5 Information about current configuration . Level 6 Important debug information. Level 7 Any debug information. Level 8 Reserved for future use. Level 9 Reserved for future use. --debug (Debug) Automatically sets maximum verbosity level and disables daemon mode. --quiet (Quiet) Automatically sets verbose and logging levels to 0. No output or logs will be generated. MISCELLANEOUS OPTIONS -C path, --config path (Read configuration from file) Tells Aldaba server to read configuration from a specific configuration file. Supplied path may be absolute or relative to the current directory. Alternatively, it is possible to run the server simply like "aldabad start", what makes it read the default configuration file (typically stored in /etc/aldabad/conf/aldabad.conf or /usr/local/etc/aldabad/conf/aldabad.conf) -I , --interactive (Interactive mode) Forces Aldaba Server to run interactively instead of in daemon mode. By default it runs as a system daemon. -V, --version (Display Version) Displays current version and quits. -h, --help (Display Help) Displays help information and quits. BUGS Please, report any bugs you find through the Aldaba development mailing list or directly to aldabaknocking@gmail.com. Please try to include as much information as possible. In general it´s a good idea to include the output of the command "uname -a", the version of Aldaba you are using and a brief description of the topology of the network you are using Aldaba from (subnets, routers, firewalls, etc). See http://www.aldabaknocking.com/development for more details. AUTHORS Luis MartinGarcia luis.mgarc@gmail.com (http://www.aldabaknocking.com) Aldaba 11/26/2010 ALDABAD(8)