Opening ports everywhere.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > knocklab > lab_instructions

Port Knocking Lab

Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

Try creating your own encrypted knock sequences. Use the knock sequence maker to experiment with encryption and decryption of the type of information that might be contained in a typical knock sequence. This application does not try to knock or connect to any hosts. Experiment at will.

legend

required for encryption required for encryption
optional for encryption optional for encryption
required for decryption required for decryption

To create a knock sequence, enter sufficient information (IP, port, time, etc). To decrypt a knock sequence, enter the encrypted knock sequence (comma or space delimited integer list) and the appropriate minimum port, cipher, and password combination with which the sequence was created.


Port Knocking (c) 2002-2014 Martin Krzywinski
Figure 1 | This is the port knocking lab. Play with the ciphers to test out how knock sequence encryption works.

fields

Enter the IP address to be included in the knock sequence. This is the client IP address representing the host which wants to connect to the server running the knock daemon. For example, if you're connecting from client 142.10.20.30 to server 142.40.50.60 then enter "142.10.20.30". required for encryption

You can select to include IP mask in the knock sequence. For host addresses like 142.10.20.30, which have a mask of 255.255.255.255 (32), you probably don't want to include the mask. The mask should be stored only for network addresses like 66.35.0.0/24 and only if your implementation of the knocking daemon is designed to interpret knocks with network masks. optional for encryption

Select the port by either (a) selecting a port from the list or (b) enter a custom port value. If both fields are populated, then the custom port value takes precedence. The port must be in the range of 0-255. Currently the knock encryption can only encrypt integers smaller than 256. required for encryption

The time flag is an integer that is included in the knock to store additional information. For example, this value may be used to indicate whether you wish to open or close a port. required for encryption

The minimum knock port (MINPORT) defines the range of values in the knock sequence. The initial encrypted sequence is in the range [0,255] and is subsequently remapped to [MINPORT,MINPORT+255]. In order to decrypt a knock sequence, you must know the value of MINPORT used to make the sequence. required for encryptionrequired for decryption

Choose the encryption cipher to use. You can use one of Blowfish, DES, IDEA, or Twofish2. It really doesn't matter which one you pick as long as you use the same cipher to decrypt the encrypted sequence. required for encryptionrequired for decryption

The encryption algorithm requires an initialization vector (IV). Use the IV checkbox to use a random IV and include the IV in the encrypted sequence. If you choose not to include the IV, a fixed IV (01234567) is used. Using a random IV lengthens the encrypted sequence. optional for encryption

The password is the key phrase which is used in the encryption algorithm. You'll need this value to decrypt the sequence. required for encryptionrequired for decryption

sample values

Click on fill with sample values to fill the form with some sample information and create a sample knock sequence.

encrypting

If you've entered all the required information, the encrypted knock sequence will appear in the knock sequence box. The integer list that is encrypted into the knock sequence is shown below the list. For example, if you fill the form with sample values you'll see that the integer list 142 10 20 0 32 22 10 236 (IP 142.10.20.0/32, port 22, time flag 10, check sum 236) encrypts to 689 545 679 673 588 663 511 755 using MINPORT=500, Blowfish and the password "password".

decrypting

If you've entered the sequence and the correct cipher, password and MINPORT value, the form fields will be populated with the decrypted values.

limitations and errors

If any of the fields cannot be parsed (e.g. negative port, badly formatted IP address), an informative error will appear. Currently all integer parameters like port and time flags are limited to 0-255.

last updated 2009-Dec-09 14:11
Port Knocking (c) 2002-2014 Martin Krzywinski