• Email info@cyberry.co.uk
  • I hear you (port) knocking

  • Port knocking is a really cool firewall port control mechanism.

    Taken straight from Wikipedia,

    port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).

    Let me break this down for you. Lets say you run an nmap port scan on, and you see a whole bunch of ports are filtered or closed, but you want to try “knocking” on a sequence of ports to trigger the firewall to open a port or multiple ports, you first need to talk to the ports.

    So lets say we want to knock on ports 1520, 3356 and 6177

    We could use something like hping3 to do this:

    root@kali:~# hping3 -s -c 1 -p 1520; hping3 -s -c 1 -p 3356; hping3 -s -c 1 -p 6177

    This is a chained sequence of commands. Basically we are firing a single packet (-c 1) using a random source port (-s) to the IP address of on the specific ports (-p) of our choosing. The ; simply allow us to chain these together into a single line.

    Basically we’ve sent a packet to port 1520, then to port 3356 and then finally to port 6177.

    If the firewall is configured to receive communication on those three ports in that particular sequence, it might fully open up another port or multiple ports, which you could then discover with nmap.

    But what if you have 3 port numbers to try, but you don’t necessarily know in what sequence to try them. We can quickly tell how many combinations we might need to try using “factorials” to calculate this. We have three port numbers, so would use “factorial 3” which can also be written as “3!” – If you are unfamiliar with factorials, it simply means to multiply your starting number by the number that is one less than the starting number, and then multiply that number by another number that is also one less, and so on, until you reach 1. It’s easier to understand if I give you an example.

    lets say I had 5 ports to try, and wanted to calculate the number of possible combinations using “factorial 5” or “5!” – This would be how it is calculated:

    5 x 4 x 3 x 2 x 1 = 120

    There are 120 possible combinations using 5 numbers.

    In the example we began with, we have 3 numbers, so we use “factorial 3” which is 3 x 2 x 1 = 6

    so therefore with ports 1520, 3356, 6177, you could potentially have 6 combinations to try out if you didn’t know the correct sequence.

    Well 6 possible combinations isn’t too bad, and wouldn’t take too long would it? But what if the firewall port-knocking accessibility randomly jumbled that sequence after every 10 seconds? You’d have 10 seconds to try all 6 combinations before they got jumbled! How can you be 100% sure that you tried them all before the sequence changed? Well in situations like this, we really need the use of a script to automate this process.

    Here is an example of a simple bash script that can be used to automate this task:

    We will call this script knock.sh


    Just to break this down so it’s easier to understand, $1 is what is known as a “positional argument”. If I try to run the script as the following:

    root@kali:~# knock.sh 1520 3356 6177

    then the script takes the 1st positional argument and assigns it to the variable HOST


    positional argument $0 = knock.sh

    positional argument $1 =

    positional argument $2 = 1520

    positional argument $3 = 3356

    positional argument $4 = 6177