Page 1 of 1

Knockd 0.5

PostPosted: Mon Oct 08, 2012 1:22 pm
by bob selby
I have this working with 3 ports but they are fairly commonly used ports so not so secure as I'd like.

The problem is that the firewall at the remote site I need to gain access from is screwed down so tight it sqeaks!
and I'm having difficulty finding out what they allow out.

Is there a way I can see what is making it through to my 040 box?? I have turned on the "-v" option (in addition to the existing "-D" option) but it doesnt seem to make much difference to the level of reporting.

Can anyone suggest a way to figure out accessible ports ??

I guess I could put wireshark with a hub on the incoming link - but the volume of cr*p I'd have to filter through would be huge.


Re: Knockd 0.5

PostPosted: Mon Oct 08, 2012 6:59 pm
by Lightning
hping would probably be a good program to use on the remote site. You could use it in conjunction with a shell script like this.

Code: Select all
while :
do   hping FREESCO-URL -c 1 -p $i >/dev/null 2>&1
      [ $? = 0 ] && echo $i >>/active_ports.txt && echo -n " $i"
      i=`expr $i + 1`
      [ $i -ge  47000 ] && break
Actual service ports such as 22 and 80 may or may not be shown as active even though they really are.

But even if you only have three ports you can use. You can use any port any number of times. So something like port 22 or 23 five times in a row could be a good initial filter if mixed with other ports.

Re: Knockd 0.5

PostPosted: Wed Oct 24, 2012 8:44 am
by bob selby
All working now :-)

I have found that port 443 (https) is also open from the remote site but 8080 is not - and with the other common ones that are open I feel I have a reasonably secure setup now :-)

One thing I have noticed is that it is advisable to avoid patterns that start and end the same or knockd gets confused - so don't be tempted to try 80,21,433,80 to open and 80,433,21,80 to close - (80,21,80,433 and 443,80,21,80 is fine).

Also avoid sequential ascending patterns like 21,22,23 (fairly obvious really since that is how port scanners operate).