Implementations

"The Advanced Port Knocking Suite is a multi-purpose tool based on connection less TCP communications. It allows to launch commands, transmit data (with DES encryption support) as soon as a specific packet or a sequence of specific packets is received by the server. One of the advantages is that TCP ports involved in packet capture are closed. It includes two parts : a server (apks) which listens to packets on the wire and perform configured actions and an optional client (apkc) which helps building packets according to scenarii."
excerpt from http://www.iv2-technologies.com/~rbidou/

"[barricade is] a simple implementation of the port knocking method aimed to open your network service or firewall only if a special icmp echo request packet is sniffed from the network interface. After the last valid packet received, barricade waits for a defined amount of time, then it closes your firewall or stops your services. There is a client included in the package called barricade_client that helps you to create special icmp packets containing the password."
excerpt from http://www.lightning.eu.org/barricade/

"cd00r.c is a working proof-of-concept code for a not listening remote shell on UN*X systems. The idea is the set up a listener in non-promiscuous mode which is looking for a specific sequence of packets arriving on this interface before actually opening any kind of listener. This sequence can be any kind of IP traffic - we use SYN packets in this example - and therefor provides a thick extra layer of obscurity."
excerpt from http://www.phenoelit-us.org/stuff/cd00r.c

"[Cerberus is] a ICMP listening daemon that would look for specially crafted packets. When a pattern within the icmp type 8 packet (ping) was found, a simple but effective auth lookup can be performed and then action can be taken based on authorized rights for the requesting party. I have used this technique for years. It allows me to send a single ping anywhere in the world and have machines execute code without having to actually log in. I use this to open up firewall ports dynamically (kinda like what traditional port knockers do), run Nessus and nmap scans against targets while in the field and even use it to establish point to point VPN with FreeSwan. It has been very beneficial to be on a client site, and be able to use my WAP enabled phone to connect to a page with a perl backend with Net::RawIP, enter in an IP of the clients outside port and have a complete scan report sent to his email while sitting in a meeting."
excerpt from http://silverstr.ufies.org/blog/archives/000625.html

"Port-knocking has recently become a popular concept, and a common source of discussion. Many groups and communities have argued about the importance and viability of port-knocking as a security concept, or as an additional security measure. One of the main complaints about port-knocking is that one can implement trivial replay attacks against any static port-knocking system. This problem can be remedied by implementing a cryptographic system in tandem with a traditional port-knocking ideas. One of the simplest means of implementing a cryptographic port knock is by using a one-time-password system (OTP or s/key). Such a system has been implemented in COK, which is trivially extensible, and flexible enough to be useful in a production environment, which will allow for port-knocking from public locations with a minimum amount of pain."
excerpt from http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-worth-up.pdf

"Cryptknock is an encrypted port knocking tool. Unlike other port knockers which use TCP ports or other protocol information to signal the knock, an encrypted string is used as the knock. This makes it extremely difficult for an evesdropper to recover your knock (unlike other port knockers where tcpdump can be used to discover a port knock). Encryption of the knock string is performed with RC4 using a secret key derived from a Diffie-Hellman key agreement. The entire process takes 3 UDP packets. Data is read using libpcap, so no UDP or TCP ports need to be in a listening state for the program to work."
excerpt from http://cryptknock.sourceforge.net/

"This particular implementation deviates a bit from ... [Martin Krzywinski's] original [port knocking] proposal, in that the doorman watches for only a single UDP packet. To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number. "
excerpt from http://doorman.sourceforge.net/

"fwknop implements network access controls (via iptables) based on a flexible port knocking mini-language, but with a twist; it combines port knocking and passive operating system fingerprinting to make it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon. fwknop supports shared, multi-protocol port knock sequences along with both relative and absolute timeouts, and coded port knock sequences encrypted with the Rijndael block cipher."
excerpt from http://www.cipherdyne.org/fwknop/

"relies on cut, awk, iptables, bash and a significant amount of user customization required. It uses several scripts that work together to make the program run as a dameon and allow easier customization for different systems. It should be relatively easy to adapt for systems that don't use IP Tables but testing has not been done with it."
excerpt from http://www.phantomcode.com/bashiptableportknocking/

"sniffing, non binding, reverse connect, backdoor; based on cd00r by fx@phenoelit.de"
excerpt from http://utenti.gufi.org/~drizzt/codes/helldoor

"The knock packet is a sha256 of a timestamp, some random bytes, a small header, and a shared key sent via udp. The timestamp and the bytes are passed in the packet so the server can do the sha256 and compare the results. If its a match then the pkd module returns true, otherwise false."
excerpt from ftp://ftp.urbanrage.com/pub/c/pkd-latest.tgz

"IM is a Windows portknocking client. IM does not need to be installed. Just place the binary and config file wherever you want it, for example on a USB stick and you are done. IM has the following features: Knock sequences up to 1024 knocks, up to 1024 variable user parameters, variable parameters for date/time/IP, checksum, Blowfish encryption, no installation necessary, creates a default config file if non exists, small footprint (about 20k) - ideal for removeable media like USB sticks or Floppies."
excerpt from http://www.min.at/port/

"The code currently supports what I call an -active- mode, wherein a single port is opened (the first port in the sequence) to listen for initial connections. If a connection is received then the second port is opened and a connection from the initiator is listened for.. this continues until the sequence is completed. A final port is opened if the same initiator has successfully completed the sequence, this is the port that used as a tunnel or end-point for their requested service."
excerpt from https://jportknock.dev.java.net/

"knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access."
excerpt from http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki

"This is a simple implementation of the port knocking principle in python on a FreeBSD simple. It can be used as a starting point for a more complex system or just as a simple example of the principle."
excerpt from http://www.len.ro/down/knockd.py

"For every server that is going to be running knockknock-daemon, you run knockknock-genkeys on that server to generate its encryption and MAC keys. You install the server's keys on every client that is going to have permission to connect to the server. You run knockknock-daemon, which simply tails kern.log. It doesn't bind to any sockets, or load libpcap and inspect every packet. When you want to open a port from a client, you run sendknock, which sends a single SYN packet to the server. The packet's IP and TCP fields are encoded to represent an IND-CCA secure encrypted request to open a specified port to a specified IP address. You connect to the now-open port on the server. The port closes behind you and doesn't allow any new connections."
excerpt from http://www.thoughtcrime.org/software/knockknock/

"KnockOnD is a simple port knocking client compatible with knockd or any other port knocking server. It supports both UDP and TCP protocols, interpacket delays. Easy to configure and use."
excerpt from http://bluezbox.com/knockond.html

"It is designed to allow you to run a fixed set of commands remotely, without giving everyone else access to the same commands. It is designed to do exactly and only what is necessary for this, and no more. The only argument given to the command is the IP address of the client, and only if the authentication is successful."
excerpt from http://ingles.homeunix.net/software/ost/index.html

"p0f is a versatile passive OS fingerprinting and masquerade detection utility, to be used for evidence or information gathering on servers, firewalls, IDSes, and honeypots, for pen-testing, or just for the fun of it. It is a complete rewrite of p0f version 1 that used to be maintained by William Stearns."
excerpt from http://lcamtuf.coredump.cx/p0f.shtml

"When it receives a sequence of ICMP or TCP packets to any port (open/closed), it will issue a command on the server. It uses a "smokescreen frame" that features encrypted authentication packets for avoiding sniffers, as well as a TCP/UDP key for remotely activating the system."
excerpt from http://www.sourceforge.net/projects/pasmal/

"A port-knocking client implementation in PHP inspired by the knockd C implementation made by Judd Vinet."
excerpt from http://www.casarini.org/blog/free-software/phpknockclient

"This is a very simple [client] port knocker for the iPhone/iPod Touch."
excerpt from http://www.dannysung.com/main/?q=node/25

"[The] implementation uses a kernel module to listen for incoming packets, then communicates with a daemon through a character device and the daemon instructs iptables on which hosts to accept connections from."
excerpt from http://digilander.iol.it/grecom

"Portkey is an implementation of a port-knocking daemon. It's simple, reliable and requires no special clients - telnet is fine. It supports knocks on any valid TCP port in the range 1-65535 and supports key sequences of arbitrary lengths. Portkey runs only on Linux at the present time (though that may change), and is only compatible with iptables based firewalls. It is firewall friendly: all the permissions granted to portkeyd clients are encapsulated in a specific chain that is created as required. If you restart your firewall, all the existing rules will be lost, but knocking again will recreate them."
excerpt from http://www.smee.org/software/portkey/

"rrs is a reverse (connecting) remote shell. Instead of listening for incoming connections it will connect out to a listener (rrs in listen mode). The listener will accept the connection and receive a shell from the remote host. rrs features full pseudo-tty support, full OpenSSL support (high encryption, client/server authentication, choice of cipher suites), Twofish encryption, a simple XOR cipher, plain-text (unencrypted) session, peer-side session monitoring (snooping), daemon option and reconnection features. rrs is Free Software distributed under the MIT License and is known to compile and run under Linux, FreeBSD, NetBSD, OpenBSD and QNX."
excerpt from http://www.cycom.se/dl/rrs

"Our implementation of port knocking is designed to overcome the issues mentioned above. In particular, we do not require the port knock sequence to be fixed and pre-defined. We also randomize the "hidden" port, so that each correctly received knock sequence will cause to server to open a random port for the client. In other words, the SSH service can be accessed via a different port each time. This significantly reduces the possibility of the adversary finding and attacking the SSH service."
excerpt from http://www.security.org.sg/code/portknock1.html

"Temprules is intended to allow expiring rules. The usage scenario described here is meant primarily to explain how to quickly set the system up. The usage scenario chosen is of using port knocking to open up SSH for outside action. At the moment, trcreate only supports creating from scratch. A future option will allow it to only recreate the expiring parts of the configuration. For the time being, it's assumed that iptables-save is used to store the resulting firewall rules AFTER trcreate has done it's part."
excerpt from http://sourceforge.net/projects/temprules

"tumbler is a protocol that enables a client piece of software to securely tell a server process on a remote machine to execute a predetermined command. tumbler is similar to port knocking and is designed so that a remote user can securly and steathily enable and disable server processes, or open and close firewall holes on a computer connected to the Internet. It differs from port knocking in the following ways: (1) Uses a single port: the tumblerd listens on a single UDP port for a single UDP datagram containing the 'knock' on the door. (2) Secure: the 'knock' is an SHA-256 hash the includes a shared secret (similar to a password) and other information to prevent spoofing and replay attacks. (3) Generic: the 'knock' can cause any command to be executed and is not limited to firewall reconfiguration. There are two implementations available: one is in Perl and provides both a client (tumbler) and daemon (tumblerd); the other is in Java and provides an API for generating knocks."
excerpt from http://tumbler.sourceforge.net/

"Send the knocking-sequence by simply calling the set webpages page by page with the webbrowser of your choice."
excerpt from http://www.webknocking.de/semaphor.php?item=webknocking_en

"Listens for sequences and execute a function with source IP Address."
excerpt from http://ferruh.mavituna.com/opensource/portknocking/dramabridge.txt

"An encrypted(DES) port knocking tool. Knock sequences are defined through XML files; users specify: number of packets of each knock sequence, payload and header of each packet. Logging capability. Generation of smoke packets. No replay-attack."
excerpt from http://winknocks.sourceforge.net/

"WKnock is a proof of concept that aims at hiding WLAN Access Point by using Knocking technologies. The tool could be seen as the equivalent of Port Knocking but for the WLAN world."
excerpt from http://www.rstack.org/oudot/wknock/