A security measure that requires certain ports to be 'knocked' before opening another port.
REF: Lord of the Root (vulnhub)
nc -nv 1
nc -nv 2
nc -nv 3
ssh 10.x.x.x
knock -v 10.137.114.39 1:tcp 2:tcp 3:tcp
ssh 10.137.114.39
Knock on 1,2,3 then ssh on 22
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x && sleep 1; done; ssh -i secret.priv bob@10.x.x.x
Knock on 1,2,3 then full Port-Scan
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x; done; nmap -p 0-65535 -T4 -A -v -Pn 10.x.x.x
1337 http .. Opened: http://10.x.x.x
4444 ssh .. Opened: ssh 10.x.x.x -p 4444
Consecutive (-r option)
> nmap -r -Pn -p 1,2,3 10.x.x.x; nmap -Pn 10.x.x.x -p 1-2000
Other method:
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x && ssh -i sshkey.key bob@10.x.x.x
IFS=$' ' ..gives a newline when there is a space
for i in 1 2 3; do echo "" > /dev/tcp/10.x.x.x/$i; done
cat /etc/init.d/knockd
cat /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
interface = ens33
[openSSH]
sequence = 571, 290, 911
seq_timeout = 5
start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 911,290,571
seq_timeout = 5
start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
