15 May 2020 I Made a Sha256 based port knocking program


I use knock by Judd Vinet to open the port to ssh, adding an extra layer so attackers can’t try exploits on your ssh all day. It’s fairly easy to use. But it uses a fixed knock sequence, which means that the sequence might be replayable by attackers.

So I (probably hardly the first to) imagined Sha256 could be used to generate a port sequence, noticed one of the issues at knock also mentions it. So i decided to try do it.. Too much time and effort later, knockoff is here. (name in jest of course) Since Cs vagarities seem mostly pointless, so used lua a lot.

Specifically it generates a port sequence based on Sha256(append(nonce, secret, date)), so you can share that secret instead of a particular port sequence. Defaultly each port sequence lasts a bit more than a minute, two port sequences apply shortly between so slight time differences aren’t troublesome.

Instead of just the time periods, it can also increment an integer every attempt that succeeds or fails late enough, so a particular sequence can never be replayed. Defaultly it does not, since it’s untested, and harder to script. There is also the possibility of generating one or more extra ports afterward and start the servers on those ports for that session.

The sha256 port-sequences is the main purpose of the project, lua allows for fairly easy extension. It can do simple sequences of ports, and can trigger different outcomes based on what ports are knocked.

Link to project: git.sr.ht/~jasper/knockoff



Other Blog Posts