Port Knocking

Detecting and executing port knock sequences to open hidden services.


Detect port knocking

Look for knockd configuration — Reveals the knock sequence

cat /etc/knockd.conf
Example Output
[openSSH]
    sequence = 7000,8000,9000
    seq_timeout = 5
    command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Knock with nmap

Send SYN packets to ports in sequence

for port in 7000 8000 9000; do nmap -Pn --host-timeout 100 --max-retries 0 -p $port $IP; done

Knock with knock client

Dedicated knock client — Clean and simple

# apt install knockd
knock $IP 7000 8000 9000
ssh user@$IP

Knock with nc or bash

No tools needed

# nc:
for port in 7000 8000 9000; do nc -zw1 $IP $port; done
# bash:
for port in 7000 8000 9000; do echo >/dev/tcp/$IP/$port 2>/dev/null; done

Find knock sequences

If you can't read knockd.conf

iptables -L -n
ps aux | grep knock
cat /home/*/.bash_history | grep -i knock