# Port Knocking

## About

A security measure that requires certain ports to be 'knocked' before opening another port.\
REF: [Lord of the Root](https://highon.coffee/blog/lord-of-the-root-walkthrough/) (vulnhub)

## Hints

* The possibilities of port-knocking patterns are unlimited.
* You will need a hint like "Easy as 1,2,3" to enter
* cat /var/mail/bob ...bob may have a hint in his email :)

## Easy Knock with nc

```
nc -nv 1
nc -nv 2
nc -nv 3
ssh 10.x.x.x
```

## Knock client

```
knock -v 10.137.114.39 1:tcp 2:tcp 3:tcp
ssh 10.137.114.39
```

## nmap knock loop

* \--max-retries 0 ...keeps nmap from doing multiple retries (breaking the knock pattern)

```
Knock on 1,2,3 then ssh on 22
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x && sleep 1; done; ssh -i secret.priv bob@10.x.x.x

Knock on 1,2,3 then full Port-Scan
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x; done; nmap -p 0-65535 -T4 -A -v -Pn 10.x.x.x
1337 http .. Opened: http://10.x.x.x
4444 ssh  .. Opened: ssh 10.x.x.x -p 4444

Consecutive (-r option)
> nmap -r -Pn -p 1,2,3 10.x.x.x; nmap -Pn 10.x.x.x -p 1-2000

Other method:
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x && ssh -i sshkey.key bob@10.x.x.x 
```

## tcp loop

```
IFS=$' '   ..gives a newline when there is a space
for i in 1 2 3; do echo "" > /dev/tcp/10.x.x.x/$i; done
```

## Sourcecode

```
cat /etc/init.d/knockd
cat /etc/knockd.conf

[options]
 logfile = /var/log/knockd.log
 interface = ens33

[openSSH]
 sequence = 571, 290, 911 
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/02-scanning/02-port-knocking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.