Port Knocking

By Pankaj Rane - Mar 26, 2019

image-source:video blocks

In the last few decades IT companies, government sites, health care agencies got hit by cyber attacks which majorly impacted the business and trust of the customer. Innocent IT admins are the one who faces the wrath of the hackers

The main motive of the hackers is to compromise the server either to steal sensitive information or to deface the website with illicit content. Hackers often use tools like nmap to do automated scans to identify open ports and services before they attack a server.

So today we will discuss about Port knocking which is a great way to hide your services to annoy the hackers.

You all know the old gangster films where a guy uses a knock sequence on a door to get in? Port knocking is exactly that, just only for your server.

The primary purpose of port knocking is to prevent a hacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear as closed

What is Port Knocking?

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).

image-source:Cybervault- Port knocking attack

The essence of why ‘port knocking’ is a thing is because people like to hack, and people don’t like to get hacked but still want vulnerable services to run . Let’s say you want SSH service enabled on your server on port 22 but you're tired of getting pawned because your password stinks. There is actually a way to hide this service until a specific combination of ‘ports’ are ‘knock’ed on your server.

So how would you 'knock' on the 'ports' you want?

The technique is pretty simple; you just have to send a TCP package to a specific combination of ports in a specific order to OPEN a new port (your hidden SSH)

You can also configure your knocking sequence to have not only an OPEN sequence but also a CLOSE sequence.

Let’s see an example how it works!

By default, SSH service runs on port 22. The users hide SSH on port 1337.

How to hide it check the link

Link: https://www.howtoforge.com/tutorial

To configure port knocking on ubuntu server. Once done run any port scanner tool lets take 'nmap' the most popular network scanning tool to identify open ports and services. Once the nmap scan is completed, nmap result will not show any SSH service running on the server as it was hidden. Before we knock, let's confirm that our SSH port is, in fact, closed currently.

Type the command you usually use to connect to the server:

root@server_ip_address:1337

sh: connect to host server_ip_address port 1337: Operation timed out

You should receive no response from the server and the SSH client should timeout.

Type Ctrl+C to end the SSH attempt if it does not time out automatically.

Because of the sequence timeout parameter that is set, we actually have a very limited amount of time to hit the correct sequence. We will use a small, in-line bash script to knock on these ports quickly.

From your local machine, type a command like this:

for x in 2000 3000 4000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done

In the command, adjust the three numbers to the numbers you selected for your sequence "2000 3000 4000" to OPEN the SSH port. Change the serveripaddress to reflect the address of your server.

This will call nmap sequentially on all of the ports you listed. OR You can knock to OPEN the port using telnet client. Type the following command in your command prompt

$telnet server_ip_address 2000

$telnet server_ip_address 3000

$telnet server_ip_address 4000

You have to do all this in 5 seconds because this the time limit imposed for the configuration. Now, rescan using nmap and you will see SSH service open on 1337. Try attempting to connect to your server via SSH on port 1337. Voila! You will be able to access the connection.

Now, we will knock to close the port of SSH server using telnet client. Adjust the three numbers to the numbers you selected for your sequence "4000 3000 2000" to close the SSH port.

Type the following command in your command prompt

$telnet server_ip_address 4000

$telnet server_ip_address 3000

$telnet server_ip_address 2000

OR type a command like this:

for x in 4000 3000 2000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done

Rescan with nmap tool and you won't see the SSH service OPEN as it got CLOSED after we ran reverse sequence to CLOSE the port.

The best part of port knocking is that you can configure it alongside with the private key authentication. If you configure both, then virtually there is no chance that someone could gain access or connect until and unless they know both the ports and the private key.

Reference:

https://www.howtoforge.com/tutorial/how-to-use-port-knocking-to-hide-the-ssh-port-from-attackers-on-ubuntu/ https://en.wikipedia.org/wiki/Port_knocking