Helping you keep sensitive data accessible and protected.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > implementations > implementations


A wide variety of implementations of port knocking are ... knocking about.

Port Knocking Implementations

Download the table (XML). List your project or report an error.

Table updated 2017-Jan-10 00:55
project name author date language platform1 notes
advanced port knocking suite Renaud Bidou 9/2004 Perl *NIX

"The Advanced Port Knocking Suite is a multi-purpose tool based on connection less TCP communications. It allows to launch commands, transmit data (with DES encryption support) as soon as a specific packet or a sequence of specific packets is received by the server. One of the advantages is that TCP ports involved in packet capture are closed. It includes two parts : a server (apks) which listens to packets on the wire and perform configured actions and an optional client (apkc) which helps building packets according to scenarii."
excerpt from

barricade Francesco Vannini 5/2004 C *NIX

"[barricade is] a simple implementation of the port knocking method aimed to open your network service or firewall only if a special icmp echo request packet is sniffed from the network interface. After the last valid packet received, barricade waits for a defined amount of time, then it closes your firewall or stops your services. There is a client included in the package called barricade_client that helps you to create special icmp packets containing the password."
excerpt from

debian package (Woody) is available
cd00r FX 6/2000 C *NIX

"cd00r.c is a working proof-of-concept code for a not listening remote shell on UN*X systems. The idea is the set up a listener in non-promiscuous mode which is looking for a specific sequence of packets arriving on this interface before actually opening any kind of listener. This sequence can be any kind of IP traffic - we use SYN packets in this example - and therefor provides a thick extra layer of obscurity."
excerpt from

cerberus Dana Epp 1999 ? *NIX

"[Cerberus is] a ICMP listening daemon that would look for specially crafted packets. When a pattern within the icmp type 8 packet (ping) was found, a simple but effective auth lookup can be performed and then action can be taken based on authorized rights for the requesting party. I have used this technique for years. It allows me to send a single ping anywhere in the world and have machines execute code without having to actually log in. I use this to open up firewall ports dynamically (kinda like what traditional port knockers do), run Nessus and nmap scans against targets while in the field and even use it to establish point to point VPN with FreeSwan. It has been very beneficial to be on a client site, and be able to use my WAP enabled phone to connect to a page with a perl backend with Net::RawIP, enter in an IP of the clients outside port and have a complete scan report sent to his email while sitting in a meeting."
excerpt from

Uses crafted ICMP packets and one-time passwords. See the presentation by Scorpion Software discussing Dana's Cerberus Introduction to Cerberus: Port knocking with covert packets to secretly open your firewall
COK David Worth 2004 JAVA *NIX

"Port-knocking has recently become a popular concept, and a common source of discussion. Many groups and communities have argued about the importance and viability of port-knocking as a security concept, or as an additional security measure. One of the main complaints about port-knocking is that one can implement trivial replay attacks against any static port-knocking system. This problem can be remedied by implementing a cryptographic system in tandem with a traditional port-knocking ideas. One of the simplest means of implementing a cryptographic port knock is by using a one-time-password system (OTP or s/key). Such a system has been implemented in COK, which is trivially extensible, and flexible enough to be useful in a production environment, which will allow for port-knocking from public locations with a minimum amount of pain."
excerpt from

Implements one-time passwords and covert DNS knocks.
combo Jon Snell 2002 C *NIX  
cryptknock Joe Walko 6/2004 C *NIX

"Cryptknock is an encrypted port knocking tool. Unlike other port knockers which use TCP ports or other protocol information to signal the knock, an encrypted string is used as the knock. This makes it extremely difficult for an evesdropper to recover your knock (unlike other port knockers where tcpdump can be used to discover a port knock). Encryption of the knock string is performed with RC4 using a secret key derived from a Diffie-Hellman key agreement. The entire process takes 3 UDP packets. Data is read using libpcap, so no UDP or TCP ports need to be in a listening state for the program to work."
excerpt from

Doorman JB Ward 6/2003 C Suse

"This particular implementation deviates a bit from ... [Martin Krzywinski's] original [port knocking] proposal, in that the doorman watches for only a single UDP packet. To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number. "
excerpt from

client available for Windows, client tested on FreeBSD, netBSD, OpenBSD, and MacOS X
fwknop Michael Rash 6/2004 C, Perl *NIX

"fwknop implements network access controls (via iptables) based on a flexible port knocking mini-language, but with a twist; it combines port knocking and passive operating system fingerprinting to make it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon. fwknop supports shared, multi-protocol port knock sequences along with both relative and absolute timeouts, and coded port knock sequences encrypted with the Rijndael block cipher."
excerpt from

fwknop = firewall knock operator; see Michael Rash's presentation Advanced Netfilter, Content Replacement ala Snort_inline, and Port Knocking Based on Passive OS Fingerprinting; see also in this table p0f by Michal Zalewski
? Korotkov Eugeny 10/2003 BASH *NIX   an unnamed bash script posted to a Russian forum
? Boyce Michael C   BASH *NIX

"relies on cut, awk, iptables, bash and a significant amount of user customization required. It uses several scripts that work together to make the program run as a dameon and allow easier customization for different systems. It should be relatively easy to adapt for systems that don't use IP Tables but testing has not been done with it."
excerpt from

helldoor Timothy Redaelli 2/2005 C *NIX

"sniffing, non binding, reverse connect, backdoor; based on cd00r by"
excerpt from

ipt_pkd, ipt_recent Eric Estabrooks 2008 C/python Ubuntu/Debian/Sidux

"The knock packet is a sha256 of a timestamp, some random bytes, a small header, and a shared key sent via udp. The timestamp and the bytes are passed in the packet so the server can do the sha256 and compare the results. If its a match then the pkd module returns true, otherwise false."
excerpt from

ipt_pkd is a port knock detector which when used in conjuction with ipt_recent gives you a decent port knocking system thats based in iptables.
It's Me (IM) Richard Prinz 7/2004 ? Windows

"IM is a Windows portknocking client. IM does not need to be installed. Just place the binary and config file wherever you want it, for example on a USB stick and you are done. IM has the following features: Knock sequences up to 1024 knocks, up to 1024 variable user parameters, variable parameters for date/time/IP, checksum, Blowfish encryption, no installation necessary, creates a default config file if non exists, small footprint (about 20k) - ideal for removeable media like USB sticks or Floppies."
excerpt from

precompiled binary for Windows
jPortKnock Paul Gregoire 2/2004 Java Java VM

"The code currently supports what I call an -active- mode, wherein a single port is opened (the first port in the sequence) to listen for initial connections. If a connection is received then the second port is opened and a connection from the initiator is listened for.. this continues until the sequence is completed. A final port is opened if the same initiator has successfully completed the sequence, this is the port that used as a tunnel or end-point for their requested service."
excerpt from

knack: command-line port knocking client Kim Christensen 2014 Python

"Knack tries to connect to a given set of ports on a remote host, without sending or receiving any data. The idea is that the remote host is listening for a specific pattern of ports to be opened in sequence, and then acting upon it in some fashion (mostly opening arbitrary ports for later usage). This can be used to keep weak services hidden from the public but accessible through simple TCP/IP operations. Knack will treat local network (and routing) errors as fatal. Timeouts and completed attempts are treated as equally good knocks! Note that this package does not handle the listening/server part of the port knocking protocol in any way, it only knocks."
excerpt from

knockd Judd Vinet 4/2004 C *NIX, Windows client

"knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access."
excerpt from

debian/rmp packages are available Marilen Corciovei 1/2004 Python Linux/ipfw

"This is a simple implementation of the port knocking principle in python on a FreeBSD simple. It can be used as a starting point for a more complex system or just as a simple example of the principle."
excerpt from

knockknock Moxie Marlinspike 2009 Python *NIX

"For every server that is going to be running knockknock-daemon, you run knockknock-genkeys on that server to generate its encryption and MAC keys. You install the server's keys on every client that is going to have permission to connect to the server. You run knockknock-daemon, which simply tails kern.log. It doesn't bind to any sockets, or load libpcap and inspect every packet. When you want to open a port from a client, you run sendknock, which sends a single SYN packet to the server. The packet's IP and TCP fields are encoded to represent an IND-CCA secure encrypted request to open a specified port to a specified IP address. You connect to the now-open port on the server. The port closes behind you and doesn't allow any new connections."
excerpt from

KnockKnockServer Stefan Miklosovic 2011 Java

"KnockKnockServer is simple java app which acts as server for incoming packets as shamir secrets to server. If some treshold is reached and some additional conditions are met, we simply do some action at server side (typically opening some port)."
excerpt from

KnockOnD Oleksandr Tymoshenko 10/2009 iPhone/iPod Touch

"KnockOnD is a simple port knocking client compatible with knockd or any other port knocking server. It supports both UDP and TCP protocols, interpacket delays. Easy to configure and use."
excerpt from

ostiary Ray Ingles 10/2003 C *NIX, Windows, Palm OS

"It is designed to allow you to run a fixed set of commands remotely, without giving everyone else access to the same commands. It is designed to do exactly and only what is necessary for this, and no more. The only argument given to the command is the IP address of the client, and only if the authentication is successful."
excerpt from

p0f Michal Zalewski 8/2003 C *NIX, Windows

"p0f is a versatile passive OS fingerprinting and masquerade detection utility, to be used for evidence or information gathering on servers, firewalls, IDSes, and honeypots, for pen-testing, or just for the fun of it. It is a complete rewrite of p0f version 1 that used to be maintained by William Stearns."
excerpt from

precompiled binaries for Windows and ARM port are available
pasmal James Meehan 2/2004 C *NIX

"When it receives a sequence of ICMP or TCP packets to any port (open/closed), it will issue a command on the server. It uses a "smokescreen frame" that features encrypted authentication packets for avoiding sniffers, as well as a TCP/UDP key for remotely activating the system."
excerpt from

phpKnockClient Paolo Casarini 12/2009 php-compatible

"A port-knocking client implementation in PHP inspired by the knockd C implementation made by Judd Vinet."
excerpt from

Port Knock Danny Sung 2010 iPhone

"This app is ideal if you're on a WiFi network but don't have a port knocker on the available computers. If you're sitting behind a NAT, the iPhone/iPod Touch will have the same IP as any of the other computers on your network.This is also great to use with TouchTerm or any other ssh or telnet software for the iPhone.Just give it the hostname and a list of ports, and whether you want it to send TCP or UDP packets."
excerpt from

Port Knock Lite Danny Sung 06/2010 iPhone

"This application is a simple port knocker for the iPhone, generally useful only to network administrators. You must have a port knock daemon running on your server for this application to be useful."
excerpt from

Port Knock Lite Danny Sung 2009 iPod/iTouch

"This is a very simple [client] port knocker for the iPhone/iPod Touch."
excerpt from

port knocking client Andre Marschalek 2016 C# Windows

"In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s)."
excerpt from

Port Knocking Suite Marcello Greco, Alessandro Barenghi 12/2004 C Linux, 2.4 kernel

"[The] implementation uses a kernel module to listen for incoming packets, then communicates with a daemon through a character device and the daemon instructs iptables on which hosts to accept connections from."
excerpt from

portkey Tony Smith 8/2004 C++ *NIX

"Portkey is an implementation of a port-knocking daemon. It's simple, reliable and requires no special clients - telnet is fine. It supports knocks on any valid TCP port in the range 1-65535 and supports key sequences of arbitrary lengths. Portkey runs only on Linux at the present time (though that may change), and is only compatible with iptables based firewalls. It is firewall friendly: all the permissions granted to portkeyd clients are encapsulated in a specific chain that is created as required. If you restart your firewall, all the existing rules will be lost, but knocking again will recreate them."
excerpt from

PortKnocker Simon Drabble 01/2010 Android

"A portknock client. Uses the four-knock protocol. Support for multiple knock configurations. "
excerpt from

PortKnocker Stephen Paine 12/2009 Android

"This application allows people (who are running a port knock daemon) to send TCP or UDP packets to the specified ports. Based off the other app PortKnocking, but faster."
excerpt from James Lawrie 09/2010 perl

"This script is a very basic implementation of a port knock daemon, which listens for the knocks (using iptables logging) and handles iptables accepts/rejects as necessary. It uses forking for each knock sequence check, which in some ways was a bad idea and is unlikely to be necessary."
excerpt from

Portsmith Nikhil. R 2016 Python Linux

"I use hping3 to craft TCP packets. The knock packet is encrypted using the key transferred from the server and then sent to the knockport. It gets logged into kern.log which is read by Portsmith. It is then decrypted and the required open is then opened for the sourceIP using a custom iptables command."
excerpt from

reverse remote shell Michel Blomgren 5/2004 C *NIX

"rrs is a reverse (connecting) remote shell. Instead of listening for incoming connections it will connect out to a listener (rrs in listen mode). The listener will accept the connection and receive a shell from the remote host. rrs features full pseudo-tty support, full OpenSSL support (high encryption, client/server authentication, choice of cipher suites), Twofish encryption, a simple XOR cipher, plain-text (unencrypted) session, peer-side session monitoring (snooping), daemon option and reconnection features. rrs is Free Software distributed under the MIT License and is known to compile and run under Linux, FreeBSD, NetBSD, OpenBSD and QNX."
excerpt from

SA Claes M Nyberg 8/2001 C *BSD, Linux, SunOS, Windows NT/2k/XP  
sig2knock Cappella and Tan Chew Keong 2004 C *NIX, Windows

"Our implementation of port knocking is designed to overcome the issues mentioned above. In particular, we do not require the port knock sequence to be fixed and pre-defined. We also randomize the "hidden" port, so that each correctly received knock sequence will cause to server to open a random port for the client. In other words, the SSH service can be accessed via a different port each time. This significantly reduces the possibility of the adversary finding and attacking the SSH service."
excerpt from

See the presentation/article combination by Chew Keong Tan and Ching Tim Meng Remote Server Management Using Dynamic Port Knocking and Forwarding
tariq Ali Al-Shemery 05/2010 python

"Tariq is a new hybrid port-knocking technique, that uses Cryptography, Steganography, and Mutual Authentication to develop another security layer in front of any service that needs to be accessed from different locations around the globe. Tariq was developed using python and scapy to fulfil my Ph.D. Research. We had to use a new methodology that can communicate in an unseen manner, making TCP Replay Attacks hard to be issued against Tariq. We also wanted the implementation to listen to no ports, or bind itself to no socket for packets exchange, so that Tariq won't be exposed himself to a remote exploit. Tariq relies completely on Packet Crafting, as all packets sent and received are crafted to suite our needs."
excerpt from

temprules Shachar Shemesh 12/2004 BASH *NIX

"Temprules is intended to allow expiring rules. The usage scenario described here is meant primarily to explain how to quickly set the system up. The usage scenario chosen is of using port knocking to open up SSH for outside action. At the moment, trcreate only supports creating from scratch. A future option will allow it to only recreate the expiring parts of the configuration. For the time being, it's assumed that iptables-save is used to store the resulting firewall rules AFTER trcreate has done it's part."
excerpt from

TocToc 0ldW0lf 2001 Perl Linux, FreeBSD  
tumbler John Graham-Cumming 10/2004 Perl, JAVA *NIX

"tumbler is a protocol that enables a client piece of software to securely tell a server process on a remote machine to execute a predetermined command. tumbler is similar to port knocking and is designed so that a remote user can securly and steathily enable and disable server processes, or open and close firewall holes on a computer connected to the Internet. It differs from port knocking in the following ways: (1) Uses a single port: the tumblerd listens on a single UDP port for a single UDP datagram containing the 'knock' on the door. (2) Secure: the 'knock' is an SHA-256 hash the includes a shared secret (similar to a password) and other information to prevent spoofing and replay attacks. (3) Generic: the 'knock' can cause any command to be executed and is not limited to firewall reconfiguration. There are two implementations available: one is in Perl and provides both a client (tumbler) and daemon (tumblerd); the other is in Java and provides an API for generating knocks."
excerpt from

Java implementation by Marty Lamb
webknocking Stefan Lebelt 3/2005 PHP *NIX

"Send the knocking-sequence by simply calling the set webpages page by page with the webbrowser of your choice."
excerpt from

web page currently only in German; requires Apache/PHP and ipfw
WebSpa: single request authentication web knocking Oliver Merki 2011 Java

"WebSpa is a Java client/server implementation for sending a single HTTP request in order to authorise a system command to be executed server-side for a particular user. This is equivalent to port-knocking on the web layer, but with much more control: All commands must be pre-defined and have a time-window of execution. Whatsmore, all users have to be registered and authorised to run any given action. "
excerpt from

Windows Port Knocking Daemon Ferruh Mavituna 2008 VB.NET Windows

"Listens for sequences and execute a function with source IP Address."
excerpt from

winKnocks Ivano Malavolta 6/2009 Java Windows

"An encrypted(DES) port knocking tool. Knock sequences are defined through XML files; users specify: number of packets of each knock sequence, payload and header of each packet. Logging capability. Generation of smoke packets. No replay-attack."
excerpt from

winportknocking Mike Aiello 10/2004 C++ Windows  
wknock Laurent Oudot 3/2005 C Linux OpenWRT routers

"WKnock is a proof of concept that aims at hiding WLAN Access Point by using Knocking technologies. The tool could be seen as the equivalent of Port Knocking but for the WLAN world."
excerpt from

WKnock is a GPL tool that allows you to hide your Access Point against opportunistic attackers (wardrivers, etc).
1 a specific distribution/flavour indicates that the author indicated that the code was tested on this platform; the code may run on a wider range of platforms
last updated 2007-Dec-07 23:47
Port Knocking (c) 2002-2017 Martin Krzywinski