~jasper/knockoff

Port knocking & listening, for hiding the servers you run (like sshd)

c651de6 Add comment about current brokenness from develop..

~jasper pushed to ~jasper/knockoff git

3 years ago

2fa0c07 Note that its broken.

~jasper pushed to ~jasper/knockoff git

3 years ago

STATE: broken: looks like bit32 lua lib no longer there.

NOTE: fwknop is probably better in many ways.

#(might be annoying to get working) knockoff, a knockoff of a port knocking implementation

Based on knock, instead uses lua for configuration and both plain and sha256-based port orders.

sha256-based port orders limit replay attacks to a short periods. Note that it's still just an extra layer of protection.

There is also an option to change the order whenever too much of the sequence is observed, at the cost of being more complicated to use. You could even start a server, where the port it uses is based on the sha256.

#Compile

Just run make knockoff, you need libpcap, lua and curl installed. (last one is .. less needed)

#Install at root level

Just exists for archlinux at the moment, get the other/arch-git/PKGBUILD and do makepkg and sudo pacman -U knockoff*.pkg.tar.xz as you'd usually do for archlinux.

#Install at user level

make home_install will put things in ~/.bin/, ~/.local/share/knockoff/, ~/.config/knockoff, you must add ~/.bin to $PATH. (or just move the binary somewhere where it is in $PATH)

Suggestions below assume root level install. (replace /etc/knockoff with ~/.config/knockoff/ for the local-install interpretation) The server(receiver of the knocks) needs to be run as root.

#Use sha256 knocker (simplest)

On both the server and knocker side,

cp /etc/knockoff/examples/sha2.lua /etc/knockoff/$SERVERNAME.lua

Change local secret = .. value to the secret you agreed on.

Change the element in the interfaces list to the interface you want to sniff of the current device. ip links lists some (it might be something like eth0, enp4s0(wired) wlan0, wlp3s0,(wireless) wlp0s20f0u2(wireless usb-dongle)) (values possibly differ for server and knocker)

#Server side

(in $SERVERNAME.lua)Change the local port value to the port you need open, or just change the success function directly.

To run the knocking-sniffer, as root, knockoff watch $SERVERNAME -v 2 (-v just increases verbosity somewhat)

#Client side

To knock the server: knockoff knock $SERVERNAME $IP, and then within ten seconds connect.

#Other options

A look at the src/etc/examples/ directory might help. There is also a knockoff help. doc/ contains more documentation.

There is support for different events after a knock. The above assumes the end-event is simply success. For instance example/simple_choose.lua has multiple outcomes, A and B, i.e.

./knockoff knock example/simple_choose $ip A  # Trigger A
./knockoff ports example/simple_choose B  # Show port sequence for B.

See doc/features.md for more other options. (todo list of some which don't exist yet)

#Credit

Jasper den Ouden. (me)

Judd Vinet's knock, which i copied, it would have been pretty hard for me to get the sniffing part right.

Licensed under the GPLv2 (text in gplv2.txt) Note that it has the option "or any later version".