Questions about this topic? Sign up to ask in the talk tab.

Port Knocking

From NetSec
Revision as of 17:54, 3 September 2011 by GeorgetFeeney (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Lesson

1.0 - Introduction to Port Knocking


The definition of port knocking for this lesson is the method of externally opening ports on a computer that is otherwise closed. Port knocking is not just running nmap on a host and “knocking” on every port to see if it’s open.

Port knocking is a simple way to obfuscate, or hide ports from the outside world but still give you the freedom to connect back to your computer without needing to filter by IP addresses. Thus, if you’re mobile, you’ll still be able to connect.

We don’t want port 22 to be visible to the outside world, so we create a knocking sequence that will either open port 22 temporarily, or reverse ssh to the host that knows the secret handshake. This is also helpful for creating backdoors for those interested in that area. The knocking sequence is like a password in code, transmitted to the port, like morse code on a door.

A reverse connection is when the server connects to the client, as opposed to the client connecting to the server. This reverse connection method bypasses aspects of firewall security and other server based security. The server initialises the handshake and instead of the client sending packets to the client, the server sends packets to the client and by listening for those packets, the connection is started.


2.0 - Knocking Sequences


Knocking sequences are limited to your imagination, it is simple and can be tested through downloading metasploit and analysing vulnerable linux via live cd. Sequences can be anything, for the first example: 1) 3 TCP ports hit in a certain order within 10 seconds, ports 1337, 31337 and 13375. The person knocking would use hping, nmap or a custom client to knock each of those ports in sequence, note that scanning other ports would disrupt this sequence.

Once these ports have been knocked in the correct sequence, the server lowers protection on the port or spawns a shell back. You can use netcat to bind a shell to an outgoing socket or use any of the other variations.


3.0 - Windows


For windows, after you install nmap you will need to edit system variables, found here:

My Computer -> Properties -> Advanced Setting -> Environment variables -> System Variables

Once inside system variables, add nmap as a path there. This will make your command shell look in the nmap directory for any exes you try to run through it.


3.1 - Example:


";c:\Program Files\Nmap" in the path variable When you type nmap.exe or nmap, it will search through the nmap directory for it, meaning you can be cded into any direction and still use nmap. An excellent resource is http://portknocking.org, it has a tonne of information as well as an easy tool to download and play with. Example of knock sequence from ErrProne found at: http://pastebin.com/7ZEVBxCD