Python Port Knocking Script

Simple port knocking script using scapy because scapy is awesome and I’ll take any opportunity to use it. Also, Python lives on all of my devices, so I can use one tool across all of them. I found a script here that I then modified to suit my needs. The author, snj, seems to have made it for a CTF or something similar, so there was a lot there that I did not need.

Right now the IP and port numbers are hard-coded in. In the future, we could improve the script by getting them from arguments. Additionally, importing everything from scapy takes forever. The biggest improvement would be to either not use scapy, or figure out what, specifically, we need from scapy, and import only those things.



from scapy.all import *
import time

def knock(ports):
    print "[*] Knocking on ports "+str(ports)
    for dport in range(0, len(ports)):
        ip = IP(dst = "")
        SYN = ip/TCP(dport=ports[dport], flags="S", window=14600, options=[('MSS',1460)])

def execKnock(ports):
    print "Port opened"
    print "Port closed"

oports = [7303,40303,33528]
cports = [33528,40303,7303]

Raspberry Pi – Portknocking with knockd

56 Raspberry Pi – Portknocking with knockd Security through Obscurity is not Security. That being said, obscuring your SSH port via port knocking can be a great way to protect your SSH service from drive-bys and script kiddies. It is no replacement for a proper service configuration, but when paired with a good config can greatly improve your security. Also, it’s just kind of cool; who doesn’t wish they had a secret passage in their home?

Port knocking, at its core, is pretty simple. The daemon listens for connection attempts, and if attempts are made to the correct ports, in the correct order, in the specified amount of time, then it executes a command. Typically the command is to either add or delete a firewall rule. I followed this guide to get it up and running, but it is deprecated, and therefore there were some issues. All of the solutions are contained herein. First, we need to set up our firewall rules per this guide, ensuring that we don’t lock ourselves out of SSH access until we are certain that everything works.

apt install knockd
touch /var/log/knockd.log
nano /etc/knockd.conf
    LogFile = /var/log/knockd.log
    interface = wlan0

    sequence = 7303,40303,33528
    tcpflags = syn
    seq_timeout = 15
    start_command = /sbin/iptables -I INPUT 4 -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout = 10
    stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Next edit

nano /etc/default/knockd

and change the following line


IMPORTANT! This is where we run into some issues. The Debian version of knockd will not start at boot, no matter what you do. In theory, the above modification to /etc/default/knockd should make this happen, but it doesn’t. After countless Google searches, I found a patch in a Debian bug post. The patch follows:

nano /lib/systemd/system/knockd.service

Append the following:


Finally, run the following and knockd will start at boot

systemctl enable knockd.service

Start knockd and test it out. If you have any issues, you can run the following to try to debug your problems

knockd -D -v
service knockd start

In order to carry out the port knocking, I chose to write a Python script, since I knew that that would work on both my Linux and Windows machines since they all have Python installed. As long as Scapy is installed then it’s good to go. See the script here.