Skip to content

Latest commit

 

History

History

PortKnock

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Client
Client
 
 
Server
Server
 
 
README.md
README.md
 
 

README.md

PortKnock

Table of Contents

Intro

PortKnock is a PowerShell interface for performing port knocking operations during Windows Red Team and Pentesting engagements. It contains a client-side component that can invoke one or more port knocks, plus an optional server that waits for the knocks. The client is not limited to working with the server provided in this module, and can work with any other server that is configured to listen for the right knocks.

This tool was designed specifically to provide a port knocking utility that allows source ports to be specified as part of the port-knock operation. It was also designed as an educational tool for understanding persistence mechanisms used by threat actors and malware.

Author

Vasken Houdoverdov - github.com/vhoudoverdov

Supported Operations

Client-Side Operations
Operation Description
Invoke a TCP port knock Construct and initiate a port knock over TCP.
Invoke a UDP port knock Construct and initiate a port knock over UDP.
Server-Side Operations
Operation Description
Create a listening TCP server Create a TCP server that listens on the specified port.
Create a listening UDP server Create a UDP server that listens on the specified port.

Examples

Invoke a TCP Port Knock Sequence

C2 Server is waiting for a sequence of three TCP knocks whose source ports are prime numbers...

$CommandAndControl = "10.66.0.1"

Invoke-TcpPortKnock -LocalIP "10.32.0.2" -LocalPort 2137 -RemoteIp $CommandAndControl -RemotePort 8080
Invoke-TcpPortKnock -LocalIP "10.32.0.2" -LocalPort 4099 -RemoteIp $CommandAndControl -RemotePort 8080
Invoke-TcpPortKnock -LocalIP "10.32.0.2" -LocalPort 3761 -RemoteIp $CommandAndControl -RemotePort 8080

Invoke a UDP Port Knock Sequence

C2 Server is waiting for a sequence of four UDP knocks whose source ports are identical, and where there is a two second delay between each knock...

$CommandAndControl = "10.66.0.1"

1..4 | % {
  Invoke-UdpPortKnock -LocalIP "10.32.0.2" -LocalPort 1337 -RemoteIp $CommandAndControl -RemotePort 8080
  Sleep 2;
}

Create a TCP Server

Create a TCP server that waits for port knocks. The server-side logic dictates what operations occur when the right knocks are observed.

New-TcpServer -LocalPort 1337

Create a UDP Server

Create a UDP server that waits for port knocks. The server-side logic dictates what operations occur when the right knocks are observed.

New-UdpServer -LocalPort 1663

Malware Use Cases and Further Reading

A number of interesting malwares have utilized port knocking in combination with source port interpretation. Two examples of this type of malware are provided here.

Venom Rootkit (2017)

CERN - Advisory: VENOM Linux rootkit

UCLA - New Linux Kernel "VENOM" Rootkit in the Wild

Linux Malware from Freenode Intrusion (2014)

Analysis of the Linux backdoor used in freenode IRC network intrusion

Umbreon Linux Rootkit (2016)

Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems

Chaos Backdoor (2018)

Chaos: a Stolen Backdoor Rising Again