Port knocking is a method of communication between two host by externally opening ports on target machine using a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, target host dynamically change rule to allow source host to connect over specific port. Port knocking relies on security through obscurity, its primary purpose is to prevent an attacker from scanning potentially exploitable services by doing port scan.Unless attacker know/guess the correct sequence all the protected ports will appear to be closed.

Implementation of Port knocking sequence is completely random and depends on the implementer.

Port Knocking exlained in 4 steps:

STEP 1: (A)Client cannot connect to application listening on port n;
(B)client cannot establish connection to any port.

STEP 2: (1,2,3,4) client knows about port knocking daemon and connects to a well-defined set of ports in a sequence that contains an encrypted message by sending SYN packets,but receives no acknowledgement during this phase because firewall rules preclude any response.

STEP 3: Server’s port knocking daemon intercepts connection attempts and interprets them as an authentic “port knock”. Based on content of port knock, server perform specific task such as opening port n to client.

STEP 4: Client successfully connects to port n and authenticates using regular mechanism.

Img. Source: http://www.portknocking.org/

Let’s take this and try on a live example.

1.Perform Nmap on machine

nmap -sV 10.10.10.13

As we can see there is no open port on this particular machine. Now lets try to ping it.


Please note there is a difference between Port Unreachable and Host Unreachable.

2. Let’s scan all ports as initial nmap scan was for 1000 ports

nmap -p- 10.10.10.13

Here we got one port 1337/tcp as open.

3. Using netcat try to connect it.

nc 10.10.10.13 1337

By connecting to port 1337 we get an interesting output. Highly likely it’s a series of port numbers.

4. Using hping we’ll try to connect to these ports

hping3 -S 10.10.10.13 -p 56990-c 1; hping3 -S 10.10.10.13 -p 63952 -c 1; hping3 -S 10.10.10.13 -p 56759 -c 1

5. Now again try to do a nmap scan

nmap -sV 10.10.10.13

As we can see hitting ports in a given sequence from Step 3, we are able to open some ports. Now let’s check if they are open.

6. Lets try to login via SSH.

Yes! we are able to reach login prompt for the machine, now all you have to do is try to find a way to get in.. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 3 =