Port Knocking

#definition

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single “knock” is needed, consisting of an encrypted packet.

https://github.com/pha5matis/Pentesting-Guide/blob/master/port_knocking.md
When you “knock” on a port you are really just sending TCP-packets with SYN-flag to that port. The closed port will then respond with a ACK/RST. This basically means that the host has received the TCP-packet and - it ACKnolwdge it, but responds with a Reset (RST) flag.

RST just means that the port is closed.

#nmap-knock

+ Nmap & Bash.
for x in 4000 5000 6000; do
nmap -Pn **--host-timeout** 201 **--max-retries** 0 -p $x $IP;
done
ssh User@$IP -p “port”

#netcat-knock

+ Netcat.
nc 192.168.1.102 4000
nc 192.168.1.102 5000
nc 192.168.1.102 6000
nc 192.168.1.102 8888
ssh User@$IP -p “port”

we can even use the native knock tool

#knock-tool

# default example
knock target.example.com 7000 8000 9000      # sends TCP knocks

# specify UDP
knock -u target.example.com 7000 8000 9000

#example-config

Example server config (/etc/knockd.conf)

[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 10
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 10
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT