fwknop – Port Knocking Tool with Single Packet Authorization


Port Knocking came about in around 2003, but it has various weaknesses. There are plenty of implentations though (some quite advanced). Most of the problems are fixed however by fwknop!

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap.

SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through a firewall policy and/or complete commands to execute on the target system. By using a firewall to maintain a “default drop” stance, the main application of fwknop is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult.

With fwknop deployed, anyone using nmap to look for sshd can’t even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no “server” to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from a fwknop client.

  • Single Packet Authorization retains the benefits of Port Knocking (i.e. service protection behind a default-drop packet filter), but has the following advantages over Port Knocking: SPA can utilize asymmetric ciphers for encryption. Asymmetric ciphers typically have larger key sizes than symmetric ciphers, and the data transmission rate of port knocking (which uses packet headers instead of packet payloads as used by SPA) is not sufficient to effectively use an asymmetric cipher. SPA is compatible with 2048-bit Elgamal GnuPG keys, and other asymmetric ciphers can be used as well.
  • SPA packets are non-replayable. There are strategies (such as S/Key-style iteration of a hash function) used by port knocking implementations to reduce the danger of a replayed knock sequence, but these strategies are relatively brittle and not generally very scalable to lots of users.
  • SPA cannot be broken by trivial sequence busting attacks. For any attacker who can monitor a port knocking sequence, the sequence can be busted by simply spoofing a duplicate packet (as though it comes from the source of the real sequence) to the previous port in a sequence.
  • SPA only sends a single packet over the network, and hence does not look like a port scan to any intermediate IDS that may be watching.
  • SPA is much faster because it only sends a single packet. Port knocking implementations must build in time delays between successive packets because there is no guarantee of in-order delivery.

You can download fwknop-1.9.8 here:

fwknop-1.9.8.tar.gz
Windows UI

Or read more here.

Posted in: Countermeasures, Networking Hacking, Security Software

, , ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


2 Responses to fwknop – Port Knocking Tool with Single Packet Authorization

  1. Morgan Storey October 7, 2008 at 4:50 am #

    Very nice, I played around with port knocking a while back and thought it was good, but slowed down authentication. This looks like an almost acceptable solution.

  2. Goodpeople October 9, 2008 at 9:38 am #

    hmmm interresting.. definately something to look at once I have a stable connection at home…