# Port Knocking

## About

A security measure that requires certain ports to be 'knocked' before opening another port.\
REF: [Lord of the Root](https://highon.coffee/blog/lord-of-the-root-walkthrough/) (vulnhub)

## Hints

* The possibilities of port-knocking patterns are unlimited.
* You will need a hint like "Easy as 1,2,3" to enter
* cat /var/mail/bob ...bob may have a hint in his email :)

## Easy Knock with nc

```
nc -nv 1
nc -nv 2
nc -nv 3
ssh 10.x.x.x
```

## Knock client

```
knock -v 10.137.114.39 1:tcp 2:tcp 3:tcp
ssh 10.137.114.39
```

## nmap knock loop

* \--max-retries 0 ...keeps nmap from doing multiple retries (breaking the knock pattern)

```
Knock on 1,2,3 then ssh on 22
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x && sleep 1; done; ssh -i secret.priv bob@10.x.x.x

Knock on 1,2,3 then full Port-Scan
> for i in 1 2 3; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.x.x.x; done; nmap -p 0-65535 -T4 -A -v -Pn 10.x.x.x
1337 http .. Opened: http://10.x.x.x
4444 ssh  .. Opened: ssh 10.x.x.x -p 4444

Consecutive (-r option)
> nmap -r -Pn -p 1,2,3 10.x.x.x; nmap -Pn 10.x.x.x -p 1-2000

Other method:
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x
> nmap -Pn --host-timeout 201 --max-retries 0 -p 1,2,3 10.x.x.x && ssh -i sshkey.key bob@10.x.x.x 
```

## tcp loop

```
IFS=$' '   ..gives a newline when there is a space
for i in 1 2 3; do echo "" > /dev/tcp/10.x.x.x/$i; done
```

## Sourcecode

```
cat /etc/init.d/knockd
cat /etc/knockd.conf

[options]
 logfile = /var/log/knockd.log
 interface = ens33

[openSSH]
 sequence = 571, 290, 911 
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn
```