Cryptknock
Description
Cryptknock is an encrypted port knocking tool. Unlike other port knockers
which use TCP ports or other protocol information to signal the knock,
an encrypted string is used as the knock. This makes it extremely
difficult for an evesdropper to recover your knock (unlike other
port knockers where tcpdump can be used to discover a port knock).
Encryption of the knock string is performed with RC4 using a secret key
derived from a Diffie-Hellman key agreement. The entire process takes
3 UDP packets. Data is read using libpcap, so no UDP or TCP ports need
to be in a listening state for the program to work. A simple diagram
can be found here. A client (cryptknock.c) and a server (cryptknockd.c)
are provided. More details can be found in the README.txt.
Usage
This program was designed to be lightweight and easy to use. By
design, there are few options, and no messy configuration files.
The client is used as follows:
Cryptknock Options:
-t Target server IP address
-s Source port of outgoing UDP packet
-d Destination port of outgoing UDP packet
Example: cryptknock -t 192.168.0.5 -s 4500 -d 22796
The program will then prompt you for a password, at which time you
can supply either the "open ports" password (to open up all TCP
ports for the client's IP only) or the "close all my ports"
password, which will re-firewall all your TCP ports after you're
done using the server.
The server is used as follows:
Cryptknockd Options:
-i Interface to watch for cryptknock clients
-s Expected source port of incoming UDP packet
-d Expected destination port of incoming UDP packet
Example: cryptknockd -i eth0 -s 4500 -d 22796
When the server starts, it firewalls all TCP ports using iptables.
Remember, the client and server's source and destination UDP ports
must agree. The "open ports" and "close ports" passwords can be
set as #defines in the cryptknockd.c file. The daemon records
successful and failed knocks via syslog.
Download
The current version is cryptknock-1.0.1.tar.gz
Updated 6/18/04.
