| http://www.portknocking.org/view/implementations |
|---|
| This is a list of port knocking implementations from the official webs |
|---|
| project name | author | date | language | platform1 | notes | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| advanced port knocking suite | Renaud Bidou | 9/2004 | Perl | *NIX |
"The Advanced Port Knocking Suite is a multi-purpose
tool based on connection less TCP communications. It allows to launch
commands, transmit data (with DES encryption support) as soon as a
specific packet or a sequence of specific packets is received by the
server. One of the advantages is that TCP ports involved in packet
capture are closed. It includes two parts : a server (apks) which
listens to packets on the wire and perform configured actions and an
optional client (apkc) which helps building packets according to
scenarii."
excerpt from http://www.iv2-technologies.com/~rbidou/ |
||||||||||||||||||||||||
| barricade | Francesco Vannini | 5/2004 | C | *NIX |
"[barricade is] a simple implementation of the port
knocking method aimed to open your network service or firewall only if a
special icmp echo request packet is sniffed from the network interface.
After the last valid packet received, barricade waits for a defined
amount of time, then it closes your firewall or stops your services.
There is a client included in the package called barricade_client that
helps you to create special icmp packets containing the password."
debian package (Woody) is available
excerpt from http://www.lightning.eu.org/barricade/ |
||||||||||||||||||||||||
| cd00r | FX | 6/2000 | C | *NIX |
"cd00r.c is a working proof-of-concept code for a not
listening remote shell on UN*X systems. The idea is the set up a
listener in non-promiscuous mode which is looking for a specific
sequence of packets arriving on this interface before actually opening
any kind of listener. This sequence can be any kind of IP traffic - we
use SYN packets in this example - and therefor provides a thick extra
layer of obscurity."
excerpt from http://www.phenoelit-us.org/stuff/cd00r.c |
||||||||||||||||||||||||
| cerberus | Dana Epp | 1999 | ? | *NIX |
"[Cerberus is] a ICMP listening daemon that would look
for specially crafted packets. When a pattern within the icmp type 8
packet (ping) was found, a simple but effective auth lookup can be
performed and then action can be taken based on authorized rights for
the requesting party. I have used this technique for years. It allows me
to send a single ping anywhere in the world and have machines execute
code without having to actually log in. I use this to open up firewall
ports dynamically (kinda like what traditional port knockers do), run
Nessus and nmap scans against targets while in the field and even use it
to establish point to point VPN with FreeSwan. It has been very
beneficial to be on a client site, and be able to use my WAP enabled
phone to connect to a page with a perl backend with Net::RawIP, enter in
an IP of the clients outside port and have a complete scan report sent
to his email while sitting in a meeting."
Uses crafted ICMP packets and one-time passwords. See the presentation by Scorpion Software discussing Dana's Cerberus Introduction to Cerberus: Port knocking with covert packets to secretly open your firewall
excerpt from http://silverstr.ufies.org/blog/archives/000625.html |
||||||||||||||||||||||||
| COK | David Worth | 2004 | JAVA | *NIX |
"Port-knocking has recently become a popular concept,
and a common source of discussion. Many groups and communities have
argued about the importance and viability of port-knocking as a security
concept, or as an additional security measure. One of the main
complaints about port-knocking is that one can implement trivial replay
attacks against any static port-knocking system. This problem can be
remedied by implementing a cryptographic system in tandem with a
traditional port-knocking ideas. One of the simplest means of
implementing a cryptographic port knock is by using a one-time-password
system (OTP or s/key). Such a system has been implemented in COK, which
is trivially extensible, and flexible enough to be useful in a
production environment, which will allow for port-knocking from public
locations with a minimum amount of pain."
Implements one-time passwords and covert DNS knocks.
excerpt from http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-worth-up.pdf |
||||||||||||||||||||||||
| combo | Jon Snell | 2002 | C | *NIX | |||||||||||||||||||||||||
| cryptknock | Joe Walko | 6/2004 | C | *NIX |
"Cryptknock is an encrypted port knocking tool. Unlike
other port knockers which use TCP ports or other protocol information to
signal the knock, an encrypted string is used as the knock. This makes
it extremely difficult for an evesdropper to recover your knock (unlike
other port knockers where tcpdump can be used to discover a port
knock). Encryption of the knock string is performed with RC4 using a
secret key derived from a Diffie-Hellman key agreement. The entire
process takes 3 UDP packets. Data is read using libpcap, so no UDP or
TCP ports need to be in a listening state for the program to work."
excerpt from http://cryptknock.sourceforge.net/ |
||||||||||||||||||||||||
| Doorman | JB Ward | 6/2003 | C | Suse |
"This particular implementation deviates a bit from ...
[Martin Krzywinski's] original [port knocking] proposal, in that the
doorman watches for only a single UDP packet. To get the doorman to open
up, the packet must contain an MD5 hash which correctly hashes a shared
secret, salted with a 32-bit random number, the identifying user or
group-name, and the requested service port-number. "
client available for Windows, client tested on FreeBSD, netBSD, OpenBSD, and MacOS X
excerpt from http://doorman.sourceforge.net/ |
||||||||||||||||||||||||
| fwknop | Michael Rash | 6/2004 | C, Perl | *NIX |
"fwknop implements network access controls (via
iptables) based on a flexible port knocking mini-language, but with a
twist; it combines port knocking and passive operating system
fingerprinting to make it possible to do things like only allow, say,
Linux-2.4/2.6 systems to connect to your SSH daemon. fwknop supports
shared, multi-protocol port knock sequences along with both relative and
absolute timeouts, and coded port knock sequences encrypted with the
Rijndael block cipher."
fwknop = firewall knock operator; see Michael Rash's presentation Advanced Netfilter, Content Replacement ala Snort_inline, and Port Knocking Based on Passive OS Fingerprinting; see also in this table p0f by Michal Zalewski
excerpt from http://www.cipherdyne.org/fwknop/ |
||||||||||||||||||||||||
| ? | Korotkov Eugeny | 10/2003 | BASH | *NIX | an unnamed bash script posted to a Russian forum | ||||||||||||||||||||||||
| ? | Boyce Michael C | BASH | *NIX |
"relies on cut, awk, iptables, bash and a significant
amount of user customization required. It uses several scripts that work
together to make the program run as a dameon and allow easier
customization for different systems. It should be relatively easy to
adapt for systems that don't use IP Tables but testing has not been done
with it."
excerpt from http://www.phantomcode.com/bashiptableportknocking/ |
|||||||||||||||||||||||||
| helldoor | Timothy Redaelli | 2/2005 | C | *NIX |
"sniffing, non binding, reverse connect, backdoor; based on cd00r by fx@phenoelit.de"
excerpt from http://utenti.gufi.org/~drizzt/codes/helldoor |
||||||||||||||||||||||||
| ipt_pkd, ipt_recent | Eric Estabrooks | 2008 | C/python | Ubuntu/Debian/Sidux |
"The knock packet is a sha256 of a timestamp, some
random bytes, a small header, and a shared key sent via udp. The
timestamp and the bytes are passed in the packet so the server can do
the sha256 and compare the results. If its a match then the pkd module
returns true, otherwise false."
ipt_pkd is a port knock detector which when used in conjuction with
ipt_recent gives you a decent port knocking system thats based in
iptables.
excerpt from ftp://ftp.urbanrage.com/pub/c/pkd-latest.tgz |
||||||||||||||||||||||||
| It's Me (IM) | Richard Prinz | 7/2004 | ? | Windows |
"IM is a Windows portknocking client. IM does not need
to be installed. Just place the binary and config file wherever you want
it, for example on a USB stick and you are done. IM has the following
features: Knock sequences up to 1024 knocks, up to 1024 variable user
parameters, variable parameters for date/time/IP, checksum, Blowfish
encryption, no installation necessary, creates a default config file if
non exists, small footprint (about 20k) - ideal for removeable media
like USB sticks or Floppies."
precompiled binary for Windows
excerpt from http://www.min.at/port/ |
||||||||||||||||||||||||
| jPortKnock | Paul Gregoire | 2/2004 | Java | Java VM |
"The code currently supports what I call an -active-
mode, wherein a single port is opened (the first port in the sequence)
to listen for initial connections. If a connection is received then the
second port is opened and a connection from the initiator is listened
for.. this continues until the sequence is completed. A final port is
opened if the same initiator has successfully completed the sequence,
this is the port that used as a tunnel or end-point for their requested
service."
excerpt from https://jportknock.dev.java.net/ |
||||||||||||||||||||||||
| knockd | Judd Vinet | 4/2004 | C | *NIX, Windows client |
"knockd is a port-knock server. It listens to all
traffic on an ethernet (or PPP) interface, looking for special "knock"
sequences of port-hits. A client makes these port-hits by sending a TCP
(or UDP) packet to a port on the server. This port need not be open --
since knockd listens at the link-layer level, it sees all traffic even
if it's destined for a closed port. When the server detects a specific
sequence of port-hits, it runs a command defined in its configuration
file. This can be used to open up holes in a firewall for quick access."
debian/rmp packages are available
excerpt from http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki |
||||||||||||||||||||||||
| knockd.py | Marilen Corciovei | 1/2004 | Python | Linux/ipfw |
"This is a simple implementation of the port knocking
principle in python on a FreeBSD simple. It can be used as a starting
point for a more complex system or just as a simple example of the
principle."
excerpt from http://www.len.ro/down/knockd.py |
||||||||||||||||||||||||
| knockknock | Moxie Marlinspike | 2009 | Python | *NIX |
"For every server that is going to be running
knockknock-daemon, you run knockknock-genkeys on that server to generate
its encryption and MAC keys.
You install the server's keys on every client that is going to have
permission to connect to the server.
You run knockknock-daemon, which simply tails kern.log. It doesn't bind
to any sockets, or load libpcap and inspect every packet.
When you want to open a port from a client, you run sendknock, which
sends a single SYN packet to the server. The packet's IP and TCP fields
are encoded to represent an IND-CCA secure encrypted request to open a
specified port to a specified IP address.
You connect to the now-open port on the server.
The port closes behind you and doesn't allow any new connections."
excerpt from http://www.thoughtcrime.org/software/knockknock/ |
||||||||||||||||||||||||
| KnockKnockServer | Stefan Miklosovic | 2011 | Java |
"KnockKnockServer is simple java app which acts as
server for incoming packets as shamir secrets to server. If some
treshold is reached and some additional conditions are met, we simply do
some action at server side (typically opening some port)."
excerpt from https://github.com/smiklosovic/KnockKnockServer |
|||||||||||||||||||||||||
| KnockOnD | Oleksandr Tymoshenko | 10/2009 | iPhone/iPod Touch |
"KnockOnD is a simple port knocking client compatible
with knockd or any other port knocking server. It supports both UDP and
TCP protocols, interpacket delays. Easy to configure and use."
excerpt from http://bluezbox.com/knockond.html |
|||||||||||||||||||||||||
| ostiary | Ray Ingles | 10/2003 | C | *NIX, Windows, Palm OS |
"It is designed to allow you to run a fixed set of
commands remotely, without giving everyone else access to the same
commands. It is designed to do exactly and only what is necessary for
this, and no more. The only argument given to the command is the IP
address of the client, and only if the authentication is successful."
excerpt from http://ingles.homeunix.net/software/ost/index.html |
||||||||||||||||||||||||
| p0f | Michal Zalewski | 8/2003 | C | *NIX, Windows |
"p0f is a versatile passive OS fingerprinting and
masquerade detection utility, to be used for evidence or information
gathering on servers, firewalls, IDSes, and honeypots, for pen-testing,
or just for the fun of it. It is a complete rewrite of p0f version 1
that used to be maintained by William Stearns."
precompiled binaries for Windows and ARM port are available
excerpt from http://lcamtuf.coredump.cx/p0f.shtml |
||||||||||||||||||||||||
| pasmal | James Meehan | 2/2004 | C | *NIX |
"When it receives a sequence of ICMP or TCP packets to
any port (open/closed), it will issue a command on the server. It uses a
"smokescreen frame" that features encrypted authentication packets for
avoiding sniffers, as well as a TCP/UDP key for remotely activating the
system."
excerpt from http://www.sourceforge.net/projects/pasmal/ |
||||||||||||||||||||||||
| phpKnockClient | Paolo Casarini | 12/2009 | php-compatible |
"A port-knocking client implementation in PHP inspired by the knockd C implementation made by Judd Vinet."
excerpt from http://www.casarini.org/blog/free-software/phpknockclient |
|||||||||||||||||||||||||
| Port Knock | Danny Sung | 2010 | iPhone |
"This app is ideal if you're on a WiFi network but
don't have a port knocker on the available computers. If you're sitting
behind a NAT, the iPhone/iPod Touch will have the same IP as any of the
other computers on your network.This is also great to use with TouchTerm
or any other ssh or telnet software for the iPhone.Just give it the
hostname and a list of ports, and whether you want it to send TCP or UDP
packets."
excerpt from http://www.sungheroes.com/products/portknock-iphone/ |
|||||||||||||||||||||||||
| Port Knock Lite | Danny Sung | 06/2010 | iPhone |
"This application is a simple port knocker for the
iPhone, generally useful only to network administrators. You must have a
port knock daemon running on your server for this application to be
useful."
excerpt from http://www.sungheroes.com/products/portknocklite-iphone/ |
|||||||||||||||||||||||||
| Port Knock Lite | Danny Sung | 2009 | iPod/iTouch |
"This is a very simple [client] port knocker for the iPhone/iPod Touch."
excerpt from http://www.dannysung.com/main/?q=node/25 |
|||||||||||||||||||||||||
| Port Knocking Suite | Marcello Greco, Alessandro Barenghi | 12/2004 | C | Linux, 2.4 kernel |
"[The] implementation uses a kernel module to listen
for incoming packets, then communicates with a daemon through a
character device and the daemon instructs iptables on which hosts to
accept connections from."
excerpt from http://digilander.iol.it/grecom |
||||||||||||||||||||||||
| portkey | Tony Smith | 8/2004 | C++ | *NIX |
"Portkey is an implementation of a port-knocking
daemon. It's simple, reliable and requires no special clients - telnet
is fine. It supports knocks on any valid TCP port in the range 1-65535
and supports key sequences of arbitrary lengths. Portkey runs only on
Linux at the present time (though that may change), and is only
compatible with iptables based firewalls. It is firewall friendly: all
the permissions granted to portkeyd clients are encapsulated in a
specific chain that is created as required. If you restart your
firewall, all the existing rules will be lost, but knocking again will
recreate them."
excerpt from http://www.smee.org/software/portkey/ |
||||||||||||||||||||||||
| PortKnocker | Simon Drabble | 01/2010 | Android |
"A portknock client. Uses the four-knock protocol. Support for multiple knock configurations. "
excerpt from http://www.androidzoom.com/android_applications/tools/portknocker_cvbc.html |
|||||||||||||||||||||||||
| PortKnocker | Stephen Paine | 12/2009 | Android |
"This application allows people (who are running a port
knock daemon) to send TCP or UDP packets to the specified ports. Based
off the other app PortKnocking, but faster."
excerpt from http://www.androidzoom.com/android_applications/tools/portknocker_bkhk.html |
|||||||||||||||||||||||||
| PortKnocker.pl | James Lawrie | 09/2010 | perl |
"This script is a very basic implementation of a port knock daemon, which listens for the
knocks (using iptables logging) and handles iptables accepts/rejects as necessary. It uses
forking for each knock sequence check, which in some ways was a bad idea and is unlikely to
be necessary."
excerpt from http://jdlawrie.co.uk/scripts/PortKnocker.txt |
|||||||||||||||||||||||||
| reverse remote shell | Michel Blomgren | 5/2004 | C | *NIX |
"rrs is a reverse (connecting) remote shell. Instead of
listening for incoming connections it will connect out to a listener
(rrs in listen mode). The listener will accept the connection and
receive a shell from the remote host. rrs features full pseudo-tty
support, full OpenSSL support (high encryption, client/server
authentication, choice of cipher suites), Twofish encryption, a simple
XOR cipher, plain-text (unencrypted) session, peer-side session
monitoring (snooping), daemon option and reconnection features. rrs is
Free Software distributed under the MIT License and is known to compile
and run under Linux, FreeBSD, NetBSD, OpenBSD and QNX."
excerpt from http://www.cycom.se/dl/rrs |
||||||||||||||||||||||||
| SA | Claes M Nyberg | 8/2001 | C | *BSD, Linux, SunOS, Windows NT/2k/XP | |||||||||||||||||||||||||
| sig2knock | Cappella and Tan Chew Keong | 2004 | C | *NIX, Windows |
"Our implementation of port knocking is designed to
overcome the issues mentioned above. In particular, we do not require
the port knock sequence to be fixed and pre-defined. We also randomize
the "hidden" port, so that each correctly received knock sequence will
cause to server to open a random port for the client. In other words,
the SSH service can be accessed via a different port each time. This
significantly reduces the possibility of the adversary finding and
attacking the SSH service."
See the presentation/article combination by Chew Keong Tan and Ching Tim Meng Remote Server Management Using Dynamic Port Knocking and Forwarding
excerpt from http://www.security.org.sg/code/portknock1.html |
||||||||||||||||||||||||
| tariq | Ali Al-Shemery | 05/2010 | python |
"Tariq is a new hybrid port-knocking technique, that
uses Cryptography, Steganography, and Mutual Authentication to develop
another security layer in front of any service that needs to be accessed
from different locations around the globe. Tariq was developed using
python and scapy to fulfil my Ph.D. Research. We had to use a new
methodology that can communicate in an unseen manner, making TCP Replay
Attacks hard to be issued against Tariq. We also wanted the
implementation to listen to no ports, or bind itself to no socket for
packets exchange, so that Tariq won't be exposed himself to a remote
exploit. Tariq relies completely on Packet Crafting, as all packets sent
and received are crafted to suite our needs."
excerpt from http://code.google.com/p/tariq/ |
|||||||||||||||||||||||||
| temprules | Shachar Shemesh | 12/2004 | BASH | *NIX |
"Temprules is intended to allow expiring rules. The
usage scenario described here is meant primarily to explain how to
quickly set the system up. The usage scenario chosen is of using port
knocking to open up SSH for outside action. At the moment, trcreate only
supports creating from scratch. A future option will allow it to only
recreate the expiring parts of the configuration. For the time being,
it's assumed that iptables-save is used to store the resulting firewall
rules AFTER trcreate has done it's part."
excerpt from http://sourceforge.net/projects/temprules |
||||||||||||||||||||||||
| TocToc | 0ldW0lf | 2001 | Perl | Linux, FreeBSD | |||||||||||||||||||||||||
| tumbler | John Graham-Cumming | 10/2004 | Perl, JAVA | *NIX |
"tumbler is a protocol that enables a client piece of
software to securely tell a server process on a remote machine to
execute a predetermined command. tumbler is similar to port knocking and
is designed so that a remote user can securly and steathily enable and
disable server processes, or open and close firewall holes on a computer
connected to the Internet. It differs from port knocking in the
following ways:
(1) Uses a single port: the tumblerd listens on a single UDP port for a
single UDP datagram containing the 'knock' on the door.
(2) Secure: the 'knock' is an SHA-256 hash the includes a shared secret
(similar to a password) and other information to prevent spoofing and
replay attacks.
(3) Generic: the 'knock' can cause any command to be executed and is not
limited to firewall reconfiguration.
There are two implementations available: one is in Perl and provides
both a client (tumbler) and daemon (tumblerd); the other is in Java and
provides an API for generating knocks."
Java implementation by Marty Lamb
excerpt from http://tumbler.sourceforge.net/ |
||||||||||||||||||||||||
| web-spa: single request authentication web knocking | Yiannis Pavlosoglou | 2011 | Java |
"WebSpa is a Java client/server implementation for
sending a single HTTP request in order to authorise a system command to
be executed server-side for a particular user. This is equivalent to
port-knocking on the web layer, but with much more control: All commands
must be pre-defined and have a time-window of execution. Whatsmore, all
users have to be registered and authorised to run any given action."
excerpt from http://code.google.com/p/web-spa/ |
|||||||||||||||||||||||||
| webknocking | Stefan Lebelt | 3/2005 | PHP | *NIX |
"Send the knocking-sequence by simply calling the set webpages page by page with the webbrowser of your choice."
web page currently only in German; requires Apache/PHP and ipfw
excerpt from http://www.webknocking.de/semaphor.php?item=webknocking_en |
||||||||||||||||||||||||
| Windows Port Knocking Daemon | Ferruh Mavituna | 2008 | VB.NET | Windows |
"Listens for sequences and execute a function with source IP Address."
proof-of-concept
excerpt from http://ferruh.mavituna.com/opensource/portknocking/dramabridge.txt |
||||||||||||||||||||||||
| winKnocks | Ivano Malavolta | 6/2009 | Java | Windows |
"An encrypted(DES) port knocking tool. Knock sequences
are defined through XML files; users specify: number of packets of each
knock sequence, payload and header of each packet. Logging capability.
Generation of smoke packets. No replay-attack."
excerpt from http://winknocks.sourceforge.net/ |
||||||||||||||||||||||||
| winportknocking | Mike Aiello | 10/2004 | C++ | Windows | |||||||||||||||||||||||||
| wknock | Laurent Oudot | 3/2005 | C | Linux OpenWRT routers |
"WKnock is a proof of concept that aims at hiding WLAN
Access Point by using Knocking technologies. The tool could be seen as
the equivalent of Port Knocking but for the WLAN world."
WKnock is a GPL tool that allows you to hide your Access Point against opportunistic attackers (wardrivers, etc).
excerpt from http://www.rstack.org/oudot/wknock/ |
||||||||||||||||||||||||
No comments:
Post a Comment