Port Knocking

About

A security measure that requires certain ports to be 'knocked' before opening another port. REF: Lord of the Root (vulnhub)

Hints

The possibilities of port-knocking patterns are unlimited.
You will need a hint like "Easy as 1,2,3" to enter
cat /var/mail/bob ...bob may have a hint in his email :)

Easy Knock with nc

nc -nv 1
nc -nv 2
nc -nv 3
ssh 10.x.x.x

Knock client

knock -v 10.137.114.39 1:tcp 2:tcp 3:tcp
ssh 10.137.114.39

nmap knock loop

--max-retries 0 ...keeps nmap from doing multiple retries (breaking the knock pattern)

Knock on 1,2,3 then ssh on 22
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x && sleep 1; done; ssh -i secret.priv [email protected]

Knock on 1,2,3 then full Port-Scan
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x; done; nmap -p 0-65535 -T4 -A -v -Pn 10.x.x.x
1337 http .. Opened: http://10.x.x.x
4444 ssh  .. Opened: ssh 10.x.x.x -p 4444

Consecutive (-r option)
> nmap -r -Pn -p 1,2,3 10.x.x.x; nmap -Pn 10.x.x.x -p 1-2000

Other method:
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x && ssh -i sshkey.key [email protected]

tcp loop

IFS=$' '   ..gives a newline when there is a space
for i in 1 2 3; do echo "" > /dev/tcp/10.x.x.x/$i; done

Sourcecode

cat /etc/init.d/knockd
cat /etc/knockd.conf

[options]
 logfile = /var/log/knockd.log
 interface = ens33

[openSSH]
 sequence = 571, 290, 911 
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

PreviousOpen Port Checks OneLiner NextSSL Issues

Last updated 2 years ago

Was this helpful?