Port knocking in CTFs

Services use open ports to listen connections. When the ports are closed, the services aren’t available, but open ports are prone to attacks.

Adversaries enumerate them to find attack paths.

Port knocking relies on a series of predefined closed ports (or other unique characteristics) to make specific instances available.

Disclaimer

The technique is a bit controversial.

IMHO, it’s the very definition of security by obscurity, so it’s an extra layer of protection at most, but some might use it for defense-in-depth.

In any case, you need to know it to play some CTFs.

N.B.: in real-world conditions, cybercriminals also use the technique to set persistent channels and evade detection.

Can I do classic Recon?

If you are attacking, you might want to scan all ports:

nmap -p- {IP}

However, port knocking is meant to “protect” the system against port scanning, so the protected ports will appear as closed and the services will be hidden.

You will need to exploit a vulnerability to get more information, so the nmap scan won’t be useless at all, but don’t expect things to be that trivial.

How to get the fabulous sequence

The challenge usually consists of finding the fu**ing sequence. It’s hard to give a specific path here, as the CTFs may have different scenarios.

However, it’s not uncommon to exploit a vulnerability that reveals the flaming series of ports. For example, the server might be vulnerable to LFI (Local File Inclusion), allowing you to read the /etc/knockd.conf file that contains the sequence.

The knockd package is often installed to configure port knocking along with firewall rules or other software.

Another scenario could involve a pcap file that contains unencrypted network traffic you can analyze with software like Wireshark to deduce the knock sequence.

How to knock at the doors

The final step can be achieved in many ways, but the easiest approach is probably to install the same knockd package on your attacker’s machine:

sudo apt install knockd
knock -v {IP} {port1} {port2} {port3}

N.B.: the three ports here are used as an example, but you can add more.

After that, the network is usually open for enumeration, and you can list services to attack.

See Also