KaosuX
December 27th, 2012, 06:46 AM
UPDATE: New code has been released. These forums hate my comment formatting so just ignore the obvious odd formatting of my comments, haha.
Fort Knocks is one of a kind hybrid implementation of a technique known as "port knocking". My implementation has the exact same end-result as traditional port-knocking (Minus a few features due to it being in early development) except for the key fact that I use a single generic knock sequence to trigger an authentication process which is used to grant remote access.
Most traditional "port knocking" daemons will use the knock sequence itself as authentication. Personally, I think this is rather silly since the information can be easily sniffed by an attacker. Instead, I believe a better implementation is to operate under the condition that the sequence itself is already compromised and rely on a strong authentication system.
While the "secret knock" it still in tact, I simply added a layer of security to the original process that works as a dynamic password-less authentication. A simple one-time configuration is all the user needs to get up and going!
I am not entirely sure what to call this type of implementation just yet. However, it cannot be simply quantified as traditional port knocking.
################################################## ######################
# [Fort Knocks v1.0] #
################################################## ######################
# TODO:
# 1) Support IPV6.
# 2) Reload pre-existing IPTable rules upon closing.
# 3) Use AT to efficiently expire specific IPTable rules after n minutes. Specified by the user.
# 4) Move the knock_key into an encrypted file and If the key file does not exist, create one automatically.
# 5) Once a knock_key is generated, find a user-friendly way of helping the key file to the client.
# 6) Convert Fort Knocks into a daemon and move all output/logging to SYSLOG.
# 7) Optimize for better efficiency where possible (I know, the code is sloppy and not optimized well).
# 8) Fix all known bugs (I wonder if anyone notices them).
# 9) Do some heavy stress testing to gauge stability and improve it where possible.
#########################
# Import Libraries #
#########################
import datetime
import dpkt
import pcap
import socket
from Crypto.Hash import SHA512
from Crypto.PublicKey import RSA
import os
#######################
# Configuration #
#######################
interface = "wlan0" #Interface name. Check ifconfig or iwconfig for your settings..
open_command = "openup" #Command to allow remote access. Change this to whatever you want to use. It is always encoded.
close_command = "closeup" #Command to disallow remote access. Change this to whatever you want to use. It is always encoded.
backup_directory = "~/Desktop/iptable.rules" #Modify this to back iptable rules up at any location you want.
###########################
# Knock_key Configuration #
################################################## ########
# Copy/paste your knock_key here for the time being. #
# later versions will store this in an AES encrypted #
# file on the server and client machine for added #
# security. #
################################################## ########
knock_key = """
MIISKgIBAAKCBAEAqUBgiC55ll5HvWH+RCyIitbAs98ViAc5of lh2Vff0ox1CMFu
6QjEu5UFrdLcQildntRtocvo488oIIQV6Z2llQ34Sk8WQwhvpZ M6vgfMw3lekPjP
pct9ZGdVERKQ1Gqt9CZS3yStV4P9tJEM21Kw43WrMxY5GJr9ZG M+qhUwy5jDZ7o8
gNz6moAEyVrR5dCfPvpD39fleo08eKkVZPgmtVmTyYo8V6Zthm w02ZMIE0Zd6rmq
obiqerojs2vU41tkLlWPXWHBIumDR90zjNKOrlDDcTHeihYFKC BDUJZqHg69gEXW
W6Xcgtv2NjZXbPdRmS+/scv9M+9dHtYODFVfN1J+cNQYmDD8kSzGaLUH8Vjfo61B
UxnI9bYnEFVrQcDqjL5faCodZnvffwVIbuMa+/1QuT+Gqh1qoEIgJozH2yPLk90C
jRGDctUsMBb1s7sjvlJuokymo1NQkYtSOJj4Pd41DeevU18tIx j2l/C40EUuF8jM
J7bm/Yj/4CyL2RtdaBqIzrCfP3xBDnTwxW/qcDUwdGjf0V3PRIAN0XcgN1j4CcAA
Uc+Et3NKyhTSmOlID1uioF5zL6DIyvoPlQa8BPf4xWW8iqXPhH Pp7RSbNqpNexMs
idOPONtnzW1cNYUgbLFy1MmOSI8UpN+bRBETFZKiM6s1sxK2Ml LMsjb1FSuqUUPv
9vPSvkAhOJfBJ6omaaSjoPv8oCxvZK5kVv9wljjSe2qcKRNe3O KucbzaxwT7dXC8
YoQ9aG6gjZhjoA5yCcddKTrRgApOJrs+IH0UHeZetiBJM9igW+ Ih+rjpzNvN7iz1
nBP0arRD/ZVF9TCQuVxWU1F18u+VSWmIkHQujcUKsXhhA95OQ4U1oLgGDI9 ogLQR
8UWkEhXTMm2zAinAExzCML6/Bq/GksSVPlOrTPs5021HQiLV/i9pCvQf//WP7yXH
MDKwoPCMtYQIYIM7ve0OYQv+TaBLa0L1sK7NdX0HRpooEyW+xv kaKikRFIj7PV1H
FKvE6J+tZReqJnL1TKy0qm61XaQrSrDFCNtbuQusPgimTMzKI3 cPxLWtvVW0Wsjk
xewwPlUwlTyoPdm5ANbQaJF9DTCWgPJ+hpadYwX7xhOHvlBFAb xzD3o2symzIhRI
8R/pBGwHpFqd/buIxkuWZRGplMhtu3gVL3DclV77WDUGR9c21oLpH1wm7pS1HOp r
5TdFUY1LDMUQhAMIUBbOcOcnuU8xHQ6OnVz10tkMuNecDhICLY WGW5kFIAozt361
sbs/E4kE6gW/U22u/8DwxicPhY3JVB8N9oum1IUkNHcSnQyNtl04G/wd9V5eCMZx
zvZlVZkG9fBedS93ZrGanUB5aayAfTAiZSYE1wIDAQABAoIEAQ ChMlE+IpVm43CM
LNKQd6GsKhDqv2OwZME9RVkuOYVQ8Llel2xcwh8tUSdRgGyLDv 69kTDBUoYCwoBD
R8ne8GiN5/o8O8rGGTjMh8cAykj5O5UXmgGatI4+nDPmyLnrtZbr27w+Dp6R pYJz
AVsvYDhcyus9AsNqbeM8Q1GhiAErR9mD51pMmSqND7R/WeJjcSjaQF14yhUjfXTE
rrVTrwye2CvrXZ9PE5Fo35IOTvz37qLwNdkPoeOsc7Ag6GigCa EGiDK9C6d46tJA
FatNShTebMlX+9kpxwMuTlwOWtPCwOM3UkxwiS3V7E05INRvUb YDofh/C/uiBS25
esFyebTv6b/HEhpCiRVj5zMo8pIYCT8mkpKO5RYC/3OBGPnIbEZ3ubEAcmwB+aTJ
Q2zTP7Wpnn/Nj3VgfBfbfl9El/yY+CSiNXKCjNWW/vTQ8G0euvO2BqicJ0jmcSlh
FUI/6WE0+3eoQKs5SoKg1Nu3pms+4USfHn1irc6eVmbtSUAAjRGPXw ZBZPKm8l67
uCDAynCMYfw+Qsw4iZIoeZWvlDe4vyGtl5I2WODcIBBxGxfgzv 30sp/XAV3PVOEo
gLVqiDl2uf3Tc6v4mSdlzUhUprWVgOm+eGqI8leMHVtlyexyhN J28yKdC0JaVPui
c91bHLACcd/OOhgw73dbwoR2j+UoPRuIUY8quS9Tm47az59B+kZlf/8Wez/oAKhe
MnQoFWgAZVVHxm7zJTTkA0QOjwltYI2xrVwXIiPIPMVG0rh5Ff 1N+T0NvzD+su46
bBbPv8+hPhDOHlF4/XGyc3k6DpJ1/6rm8jJGHZfjn5xseiGa8qeVjJp5a6j2J4nT
fYvtd7TiD38+obi4YRH6g2Pc638Kp3NKSuX1jxQdASr8pi/E6W2DsKh573oDp/xt
Sel//suO/1qGpWBgHRhJcrDgDtQrzZ/KXBMSB5DGTz7yumRwREKRxCZrvj+sOnTX
plwKHfIdYVr+s4VcR4NFIqm5mzp3p3K++nUHSHJSVVXUfRUDHA nJIViwLFuuoeBH
vtx18qzkVmOGcwSs92x9CEHIS7nXoooy7qhXhsdRT8qrJklUy5 MUNcZlorm3XjiO
rspOuZXQT18RRNabfPu9PVvVIc9YpTi3UVn6pVKHaRui3m0WmA eoF0bEhPI2dV1f
zlgukRxZ3fsNBUGlgayGbtsFJNj1jVKVg+iCLKK0ULuXOtm3es aHpPcD8I2q5sBO
8IhPAseW/alBLiUPwWJmWUvz6EhoMDVkHrKkbMK+n7IWQfslKVaGbyaCsuL QVMS5
e6PzYphQ0Hl+KCHwNgp4/AQqHVfMe2mQKKdPcp2dxMjBr4OhCzKtEUIs7wfkH86V
Teksf7vxAoICAQDJbgvtTP534U3Xqs07ERB43D92VzF8Tp8Tpo x7Y4hiMABFlq59
af8fssqxjW6karBPdjx7YLjxAM/qPbk9cpA0pmBgw3vxUqVAXxVgIoy5hrIEeG/b
XJ14gHZzEMGrBlcPw9vgdyazhciqT07W3yAIEbSHU0sr64RPpY JuXoeOsMeZnMp/
6HQlGvj2FrskjlFTo0d/A1QJbRQX2PoRril64o8y/+ypKxpLRhtRU6b7tttOVy8z
ZynQ1ij7SoCv1EadOTUH8VUgdMlE4eq+CZ4ypPNRVCOGnK2qaD xz26lagg285gFe
ZeRqvIuvXHM9ifr1YqOcovU4pGIIqnMO1XShAjplC/m1HoTUVewCkWiBA+dd9yWP
zL51L42Kj21bAtVQMo1PwaaAVGoi0rmAUCetBSouB/VTOZDpw2bFJfpEaQBF4Yd2
1R4290mX5zx/9kSsQZxiJXk0w6VMJ4IM18HS94PKNOwKXOwvfien4ud3AYESmW Uc
TQ/XvWiUh/RngBq5XEYspvSt49xVXdb6PUMfhGiE6SyOVMURUASfUZe3swMu EnMG
l+nmtnJziZOlQjXPoAVGGBVZ/DQ15HbDkCQU/QGGtmF7soD1hzmRVM9cm6eryPJD
72xhDRqfydh1JZebbaPi0nPuqo/ZN9feEgJiURq4Z/ca5ESgqLRiBhUkAwKCAgEA
1xqh1hr3Z8mRYMQkAecEm4xV4FgpLyOOllb4naXA/t9N+jDVQjNR3aDrE9PUc1rO
G/8X2UXZ/GCHz+G1ZmPE1uDm/nf8z8v+1d1CygTVuNghb84m0CELQcc8rsjcOzzb
96GfE+E2qPUp8OzLV8tLm6CGytlySQEgHk/eNoG9Gru+HocURNPhF1XjGPXMoeFO
JIqd0GhEbcAgx4G0vfOGAaCLaNchwDVDw/AZjtEF93GHRtCbuWwIVUMly3UAzbqP
WDIB+7+rvH4VIYL1y93V35drDPhqMlW7hs/PhnsrFRTORM6zTIL7lxqWTe/avQuu
2UMuuBxuXX/aB0k2IkrDZZ5Sxaq5XQYhpiv375H89fYR01SZj9oY6E4qA+wRE ZwC
oqf6orbsfKNN44+aIUNvbKuBWIfD8PTeqgFT8PgwpKGTRKSOyj XA6tVpzdV6Bto1
f6K77hAr9hwpIN+4yA2uthgmfJ0psADlNZ0VIy7rYAEA0xYBmo Qth068LFUP1p5+
iyhv9E+Fsdh+V0FdKjlgi0QZdB+Yu0ntlgEGQ1Oytc24fIZrxt OAlOZhCAVHckm5
7CIWn1G6iVRRJ9EaAZ1r7Fnaqw+YA1o1b1T4dk+68ibIcgkg0L YKs2/Bu6yZ86mc
uIjmPNO75zNB6j+RJopO3uVTGV71uwClMf4V9h9TpZ0CggIAAc B9RhEXXX+OJ8QK
iOr7E7IGs0bK3WPpqkgWjLQu6Xu1ZOWMmvajC2mIrcanIbLz2Z 0TpZcPxLjXFhh3
Vft7GZog2Haay1yGp2qsSuvCAZMUVUme32+MxxGG9jU9GfmyJC b18JvYsFMHjcOm
0eOa6bcNtOeajcU8n1y3J7KWxzzuX32nnTkuWWxEog9MjWLXfj y7UHV886AJPrPa
aPD012bFDBKBwm7niaQQdMKffyz191Z2yKGrEW/rZ1QcjmrwOknXFjyZGvEpFvpI
CmMXByW8IAb1UCRotkS10eQlMu5SpEPz2xhTxkHhjSLmtbBPiH bVKXWZYGa9m4mv
+n8MxqG4VEyoXVTontgod1VAbW7VQlH196w2M9q4Bm586v+5Tz tBU2JBynfxfGAM
0PrhfXXACipzjcfAZOgYKrrL1HB9Wh4+CWCNJLk94J5YPlyr+D uR2qCszzKsa18k
mGv/+Y/Bi66uJuDsBPW57pHgpX5T2w+Oe5KIAr5Y/IG6NHQ+x0HwMk85bZG/xtZM
Gl0SCmIibpWAl7RRCneBsskI4sYhzvLGIVaM6D7J/AtER3mt8iJYKWXoOaIh6h4U
klrclXol20AW1PaWfIwyifsM2qdX6/yRbtnUPXvZsW4V/d7X1Lg9Zqmh7H97RM5h
iELr1mMSMmxlD8zQc/1DpF6dLHUCggIBAL3WfEPIUtbfNxWOpTSknRVmehff1qEK
oXmfUhVXxwdpLpmC5YNiZXrS3QUHq3UPC937eSHBGww4aUQXMB AoNv1pSZQFczI1
GDfI6Xv/XlufK4tQBkMjFps76htbm7oQERXwJsPVvHbKv/QoF6HpAlZcCvoVhF5X
xu/ZjwTN5YYlcTnh/wprcDk3DJDnxWyMunlXeMYIb3Po30UT/N6zgG4JMWAalWfb
2m2fhf7cDIcAQ+JEk1rGtGgDNeTk4wut/XpZ0BRNaZSWNbH4sVL1+h41tT2iM58u
uKzW1JEcPL6DOTPStLzu0Hnf9gzchVDYcby/JQlJ1kFgZ5yMiWEkWGRjoStga+1k
Tugn384oKncsbzjybgBd/CNxcHU7ryi6Zj0FQRa/l+C8Ay61etKmgD0I88OdNll+
0tB5EYsWj1+MVbt7+6UMYbEfHhyRrftEM3jstyz4SsQOwGGJ8L tmD+4XTEgoMDVr
5N43PwNpEkQNPpwMzOeAhennm/0IKU1BXe8UhhG46QY3SfFZ944fS0w9krVAeXu5
WBxN1SgwQwVehNYpkA7OdKl01OfOOOrtlE+JGiwLZjRzHJimW2 xXcXsLJghYX9F9
mLEj7ZAE97lkbvztf2+TachI9lLalphL9cuKzp+aQjherWq+JS 09XTQscfVvMDGU
9TY0x08LALilAoICAQCdNgkwSwpZ1Wle0bWP+twpUBK0f+bP/s/FRoW1i7thiphu
hDxlUda5NE+zGckBJ5Bd3JUssNNWiK5HJ0hY6/rV0J6zP7R26AAALRd9DVZTDHzj
GMvibEcJbV9Eyf7Nxdd2UYoH1X2OzwypEnaPJk2ISK5uD5ycOP 8ycOe4kLsSwVfj
t9lLxcYPVs+IGkoHWoOpLmtG16VkXO6bIBuVJdppvvASkGI3eU 7ejJTu3fM+RBvH
r0TG9o6s2LljGzNBI7zqi6WVl4okAl4LpSpjcg/mLnE6mKftJHj5jpuyywnTHSSl
IVOOX0XRZT9phlNxmK/JJbpmc2JVQ+M0mBzHBaFnJUVBr1u78MYD713yWZ8tZ9C6
fhmrWAWHoD0u6dHlCzQuxJDBAfRiLFPojY1seZnmH4twDb8sNH/Y7MKA4bxMiHaj
PwRWWsBVgq58g0PT72Rraxz7dcdUAxeZecSLU89Usn4LVG13vR 9lhtsbX1wj7Rdm
qYs/nxlz2OoIKr+CwumUFuhPCwqdzjVVHVyCEd9r6+ogC6oB8rK5ve +Fau75W6/Y
EciwGLw0wR2Fg6ESnOriCcG4ZSe2Q7f0v1JzZ4f40xPsk6aPFq 3T2gUXnuk3wA5e
/u689+ysQs+HlmlUkJB9dDCsGprGoiN+rrJWCm9QIGJOAlj8w7Z 1UuvGs7dHtQ==
"""
################################################## ###############################
# Build our initial encoded keys. We will need to rebuild them every time a new #
# authorized pre-authenticated session occurs due to us using a dynamic salt. #
# Having this section of code in both places will automatically expire keys #
# that are older than 1 minute of being issued without causing issues. #
################################################## ###############################
now = datetime.datetime.now() #Leaves this alone if you plan on using a time-based salt
salt = str(now.minute) #Create a salt that changes every minute. It may be predictable, but it changes often enough to ward off most attacks
securehash = SHA512.new(salt + knock_key) #Hash our knock_key with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.\
encoded_knock_key = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + open_command) #Hash our open_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_open_command = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + close_command) #Hash our close_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_close_command = securehash.hexdigest()
###########################################
# Initialize clean IPTables configuration #
###########################################
print "Backing up current IPTables configuration..."
os.system ("iptables-save > " + backup_directory) #Back rules up.
print "Flushing current IPTables configuration..."
os.system ("iptables -F") #Flush rules.
os.system ("iptables -X")
print "Creating a new default-deny policy...."
os.system ("iptables -A INPUT -i lo -j ACCEPT") #Allow loopback.
os.system ("iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP") #Drop addresses which won't use loopback.
os.system ("iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT") #Allow established inbound connections.
os.system ("iptables -A OUTPUT -j ACCEPT") #Allow outbound traffic. Modify this for your personal needs. This will work for most people.
os.system ("iptables -A INPUT -j DROP") #Drop all incoming connections.
os.system ("iptables -A FORWARD -j DROP") #DROP forwarded requests.
print "Your new IPTables configuration is now active! Loading Fort Knocks...."
####################################
# Set up the interface and filters #
####################################
pcap=pcap.pcap(interface, 65535, 1, 0) #Load up the specified interface for sniffing, limit to 65535 bytes per packet, enable promiscuous mode, immediate should be left as default.
pcap.setfilter("tcp") #Sniff all TCP traffic.
print 'listening on %s' % (pcap.name) #Let the user know everything is running and working as intended (Remove this when Fort Knocks is made into a daemon)
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data #Header
tcp = ip.data #Payload
src_ip = socket.inet_ntoa(ip.src) #decoded source IP address
dst_ip = socket.inet_ntoa(ip.dst) #Decoded destination IP address
if (tcp.dport == 4144 and tcp.sport == 4414): #Look for a very specific destination and source port (This is our generic "knock"). I will add a way to customize this easier later on
now = datetime.datetime.now() #Leaves this alone if you plan on using a time-based salt
salt = str(now.minute) #Create a salt that changes every minute. It may be predictable, but it changes often enough to ward off most attacks
securehash = SHA512.new(salt + knock_key) #Hash our knock_key with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.\
encoded_knock_key = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + open_command) #Hash our open_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_open_command = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + close_command) #Hash our close_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_close_command = securehash.hexdigest()
if encoded_open_command in tcp.data: #Valid command
print "Command verification was successful! Granting access to the remote user!" #When this is a daemon it sill send messages like this to SYSLOG
os.system ("iptables -A INPUT -s " + src_ip + " -j ACCEPT") #Add rule
if encoded_knock_key and encoded_close_command in tcp.data: #Valid command
print "Command verification was successful! Revoking remote hosts access!" #When this is a daemon it sill send messages like this to SYSLOG
os.system ("iptables -D INPUT -s " + src_ip + " -j ACCEPT") #Remove rule
#3. Log everything
#4. Send notification to admin (NOT THE PERSON CONNECTING) that a new connection has been temporarily allowed.
Fort Knocks is one of a kind hybrid implementation of a technique known as "port knocking". My implementation has the exact same end-result as traditional port-knocking (Minus a few features due to it being in early development) except for the key fact that I use a single generic knock sequence to trigger an authentication process which is used to grant remote access.
Most traditional "port knocking" daemons will use the knock sequence itself as authentication. Personally, I think this is rather silly since the information can be easily sniffed by an attacker. Instead, I believe a better implementation is to operate under the condition that the sequence itself is already compromised and rely on a strong authentication system.
While the "secret knock" it still in tact, I simply added a layer of security to the original process that works as a dynamic password-less authentication. A simple one-time configuration is all the user needs to get up and going!
I am not entirely sure what to call this type of implementation just yet. However, it cannot be simply quantified as traditional port knocking.
################################################## ######################
# [Fort Knocks v1.0] #
################################################## ######################
# TODO:
# 1) Support IPV6.
# 2) Reload pre-existing IPTable rules upon closing.
# 3) Use AT to efficiently expire specific IPTable rules after n minutes. Specified by the user.
# 4) Move the knock_key into an encrypted file and If the key file does not exist, create one automatically.
# 5) Once a knock_key is generated, find a user-friendly way of helping the key file to the client.
# 6) Convert Fort Knocks into a daemon and move all output/logging to SYSLOG.
# 7) Optimize for better efficiency where possible (I know, the code is sloppy and not optimized well).
# 8) Fix all known bugs (I wonder if anyone notices them).
# 9) Do some heavy stress testing to gauge stability and improve it where possible.
#########################
# Import Libraries #
#########################
import datetime
import dpkt
import pcap
import socket
from Crypto.Hash import SHA512
from Crypto.PublicKey import RSA
import os
#######################
# Configuration #
#######################
interface = "wlan0" #Interface name. Check ifconfig or iwconfig for your settings..
open_command = "openup" #Command to allow remote access. Change this to whatever you want to use. It is always encoded.
close_command = "closeup" #Command to disallow remote access. Change this to whatever you want to use. It is always encoded.
backup_directory = "~/Desktop/iptable.rules" #Modify this to back iptable rules up at any location you want.
###########################
# Knock_key Configuration #
################################################## ########
# Copy/paste your knock_key here for the time being. #
# later versions will store this in an AES encrypted #
# file on the server and client machine for added #
# security. #
################################################## ########
knock_key = """
MIISKgIBAAKCBAEAqUBgiC55ll5HvWH+RCyIitbAs98ViAc5of lh2Vff0ox1CMFu
6QjEu5UFrdLcQildntRtocvo488oIIQV6Z2llQ34Sk8WQwhvpZ M6vgfMw3lekPjP
pct9ZGdVERKQ1Gqt9CZS3yStV4P9tJEM21Kw43WrMxY5GJr9ZG M+qhUwy5jDZ7o8
gNz6moAEyVrR5dCfPvpD39fleo08eKkVZPgmtVmTyYo8V6Zthm w02ZMIE0Zd6rmq
obiqerojs2vU41tkLlWPXWHBIumDR90zjNKOrlDDcTHeihYFKC BDUJZqHg69gEXW
W6Xcgtv2NjZXbPdRmS+/scv9M+9dHtYODFVfN1J+cNQYmDD8kSzGaLUH8Vjfo61B
UxnI9bYnEFVrQcDqjL5faCodZnvffwVIbuMa+/1QuT+Gqh1qoEIgJozH2yPLk90C
jRGDctUsMBb1s7sjvlJuokymo1NQkYtSOJj4Pd41DeevU18tIx j2l/C40EUuF8jM
J7bm/Yj/4CyL2RtdaBqIzrCfP3xBDnTwxW/qcDUwdGjf0V3PRIAN0XcgN1j4CcAA
Uc+Et3NKyhTSmOlID1uioF5zL6DIyvoPlQa8BPf4xWW8iqXPhH Pp7RSbNqpNexMs
idOPONtnzW1cNYUgbLFy1MmOSI8UpN+bRBETFZKiM6s1sxK2Ml LMsjb1FSuqUUPv
9vPSvkAhOJfBJ6omaaSjoPv8oCxvZK5kVv9wljjSe2qcKRNe3O KucbzaxwT7dXC8
YoQ9aG6gjZhjoA5yCcddKTrRgApOJrs+IH0UHeZetiBJM9igW+ Ih+rjpzNvN7iz1
nBP0arRD/ZVF9TCQuVxWU1F18u+VSWmIkHQujcUKsXhhA95OQ4U1oLgGDI9 ogLQR
8UWkEhXTMm2zAinAExzCML6/Bq/GksSVPlOrTPs5021HQiLV/i9pCvQf//WP7yXH
MDKwoPCMtYQIYIM7ve0OYQv+TaBLa0L1sK7NdX0HRpooEyW+xv kaKikRFIj7PV1H
FKvE6J+tZReqJnL1TKy0qm61XaQrSrDFCNtbuQusPgimTMzKI3 cPxLWtvVW0Wsjk
xewwPlUwlTyoPdm5ANbQaJF9DTCWgPJ+hpadYwX7xhOHvlBFAb xzD3o2symzIhRI
8R/pBGwHpFqd/buIxkuWZRGplMhtu3gVL3DclV77WDUGR9c21oLpH1wm7pS1HOp r
5TdFUY1LDMUQhAMIUBbOcOcnuU8xHQ6OnVz10tkMuNecDhICLY WGW5kFIAozt361
sbs/E4kE6gW/U22u/8DwxicPhY3JVB8N9oum1IUkNHcSnQyNtl04G/wd9V5eCMZx
zvZlVZkG9fBedS93ZrGanUB5aayAfTAiZSYE1wIDAQABAoIEAQ ChMlE+IpVm43CM
LNKQd6GsKhDqv2OwZME9RVkuOYVQ8Llel2xcwh8tUSdRgGyLDv 69kTDBUoYCwoBD
R8ne8GiN5/o8O8rGGTjMh8cAykj5O5UXmgGatI4+nDPmyLnrtZbr27w+Dp6R pYJz
AVsvYDhcyus9AsNqbeM8Q1GhiAErR9mD51pMmSqND7R/WeJjcSjaQF14yhUjfXTE
rrVTrwye2CvrXZ9PE5Fo35IOTvz37qLwNdkPoeOsc7Ag6GigCa EGiDK9C6d46tJA
FatNShTebMlX+9kpxwMuTlwOWtPCwOM3UkxwiS3V7E05INRvUb YDofh/C/uiBS25
esFyebTv6b/HEhpCiRVj5zMo8pIYCT8mkpKO5RYC/3OBGPnIbEZ3ubEAcmwB+aTJ
Q2zTP7Wpnn/Nj3VgfBfbfl9El/yY+CSiNXKCjNWW/vTQ8G0euvO2BqicJ0jmcSlh
FUI/6WE0+3eoQKs5SoKg1Nu3pms+4USfHn1irc6eVmbtSUAAjRGPXw ZBZPKm8l67
uCDAynCMYfw+Qsw4iZIoeZWvlDe4vyGtl5I2WODcIBBxGxfgzv 30sp/XAV3PVOEo
gLVqiDl2uf3Tc6v4mSdlzUhUprWVgOm+eGqI8leMHVtlyexyhN J28yKdC0JaVPui
c91bHLACcd/OOhgw73dbwoR2j+UoPRuIUY8quS9Tm47az59B+kZlf/8Wez/oAKhe
MnQoFWgAZVVHxm7zJTTkA0QOjwltYI2xrVwXIiPIPMVG0rh5Ff 1N+T0NvzD+su46
bBbPv8+hPhDOHlF4/XGyc3k6DpJ1/6rm8jJGHZfjn5xseiGa8qeVjJp5a6j2J4nT
fYvtd7TiD38+obi4YRH6g2Pc638Kp3NKSuX1jxQdASr8pi/E6W2DsKh573oDp/xt
Sel//suO/1qGpWBgHRhJcrDgDtQrzZ/KXBMSB5DGTz7yumRwREKRxCZrvj+sOnTX
plwKHfIdYVr+s4VcR4NFIqm5mzp3p3K++nUHSHJSVVXUfRUDHA nJIViwLFuuoeBH
vtx18qzkVmOGcwSs92x9CEHIS7nXoooy7qhXhsdRT8qrJklUy5 MUNcZlorm3XjiO
rspOuZXQT18RRNabfPu9PVvVIc9YpTi3UVn6pVKHaRui3m0WmA eoF0bEhPI2dV1f
zlgukRxZ3fsNBUGlgayGbtsFJNj1jVKVg+iCLKK0ULuXOtm3es aHpPcD8I2q5sBO
8IhPAseW/alBLiUPwWJmWUvz6EhoMDVkHrKkbMK+n7IWQfslKVaGbyaCsuL QVMS5
e6PzYphQ0Hl+KCHwNgp4/AQqHVfMe2mQKKdPcp2dxMjBr4OhCzKtEUIs7wfkH86V
Teksf7vxAoICAQDJbgvtTP534U3Xqs07ERB43D92VzF8Tp8Tpo x7Y4hiMABFlq59
af8fssqxjW6karBPdjx7YLjxAM/qPbk9cpA0pmBgw3vxUqVAXxVgIoy5hrIEeG/b
XJ14gHZzEMGrBlcPw9vgdyazhciqT07W3yAIEbSHU0sr64RPpY JuXoeOsMeZnMp/
6HQlGvj2FrskjlFTo0d/A1QJbRQX2PoRril64o8y/+ypKxpLRhtRU6b7tttOVy8z
ZynQ1ij7SoCv1EadOTUH8VUgdMlE4eq+CZ4ypPNRVCOGnK2qaD xz26lagg285gFe
ZeRqvIuvXHM9ifr1YqOcovU4pGIIqnMO1XShAjplC/m1HoTUVewCkWiBA+dd9yWP
zL51L42Kj21bAtVQMo1PwaaAVGoi0rmAUCetBSouB/VTOZDpw2bFJfpEaQBF4Yd2
1R4290mX5zx/9kSsQZxiJXk0w6VMJ4IM18HS94PKNOwKXOwvfien4ud3AYESmW Uc
TQ/XvWiUh/RngBq5XEYspvSt49xVXdb6PUMfhGiE6SyOVMURUASfUZe3swMu EnMG
l+nmtnJziZOlQjXPoAVGGBVZ/DQ15HbDkCQU/QGGtmF7soD1hzmRVM9cm6eryPJD
72xhDRqfydh1JZebbaPi0nPuqo/ZN9feEgJiURq4Z/ca5ESgqLRiBhUkAwKCAgEA
1xqh1hr3Z8mRYMQkAecEm4xV4FgpLyOOllb4naXA/t9N+jDVQjNR3aDrE9PUc1rO
G/8X2UXZ/GCHz+G1ZmPE1uDm/nf8z8v+1d1CygTVuNghb84m0CELQcc8rsjcOzzb
96GfE+E2qPUp8OzLV8tLm6CGytlySQEgHk/eNoG9Gru+HocURNPhF1XjGPXMoeFO
JIqd0GhEbcAgx4G0vfOGAaCLaNchwDVDw/AZjtEF93GHRtCbuWwIVUMly3UAzbqP
WDIB+7+rvH4VIYL1y93V35drDPhqMlW7hs/PhnsrFRTORM6zTIL7lxqWTe/avQuu
2UMuuBxuXX/aB0k2IkrDZZ5Sxaq5XQYhpiv375H89fYR01SZj9oY6E4qA+wRE ZwC
oqf6orbsfKNN44+aIUNvbKuBWIfD8PTeqgFT8PgwpKGTRKSOyj XA6tVpzdV6Bto1
f6K77hAr9hwpIN+4yA2uthgmfJ0psADlNZ0VIy7rYAEA0xYBmo Qth068LFUP1p5+
iyhv9E+Fsdh+V0FdKjlgi0QZdB+Yu0ntlgEGQ1Oytc24fIZrxt OAlOZhCAVHckm5
7CIWn1G6iVRRJ9EaAZ1r7Fnaqw+YA1o1b1T4dk+68ibIcgkg0L YKs2/Bu6yZ86mc
uIjmPNO75zNB6j+RJopO3uVTGV71uwClMf4V9h9TpZ0CggIAAc B9RhEXXX+OJ8QK
iOr7E7IGs0bK3WPpqkgWjLQu6Xu1ZOWMmvajC2mIrcanIbLz2Z 0TpZcPxLjXFhh3
Vft7GZog2Haay1yGp2qsSuvCAZMUVUme32+MxxGG9jU9GfmyJC b18JvYsFMHjcOm
0eOa6bcNtOeajcU8n1y3J7KWxzzuX32nnTkuWWxEog9MjWLXfj y7UHV886AJPrPa
aPD012bFDBKBwm7niaQQdMKffyz191Z2yKGrEW/rZ1QcjmrwOknXFjyZGvEpFvpI
CmMXByW8IAb1UCRotkS10eQlMu5SpEPz2xhTxkHhjSLmtbBPiH bVKXWZYGa9m4mv
+n8MxqG4VEyoXVTontgod1VAbW7VQlH196w2M9q4Bm586v+5Tz tBU2JBynfxfGAM
0PrhfXXACipzjcfAZOgYKrrL1HB9Wh4+CWCNJLk94J5YPlyr+D uR2qCszzKsa18k
mGv/+Y/Bi66uJuDsBPW57pHgpX5T2w+Oe5KIAr5Y/IG6NHQ+x0HwMk85bZG/xtZM
Gl0SCmIibpWAl7RRCneBsskI4sYhzvLGIVaM6D7J/AtER3mt8iJYKWXoOaIh6h4U
klrclXol20AW1PaWfIwyifsM2qdX6/yRbtnUPXvZsW4V/d7X1Lg9Zqmh7H97RM5h
iELr1mMSMmxlD8zQc/1DpF6dLHUCggIBAL3WfEPIUtbfNxWOpTSknRVmehff1qEK
oXmfUhVXxwdpLpmC5YNiZXrS3QUHq3UPC937eSHBGww4aUQXMB AoNv1pSZQFczI1
GDfI6Xv/XlufK4tQBkMjFps76htbm7oQERXwJsPVvHbKv/QoF6HpAlZcCvoVhF5X
xu/ZjwTN5YYlcTnh/wprcDk3DJDnxWyMunlXeMYIb3Po30UT/N6zgG4JMWAalWfb
2m2fhf7cDIcAQ+JEk1rGtGgDNeTk4wut/XpZ0BRNaZSWNbH4sVL1+h41tT2iM58u
uKzW1JEcPL6DOTPStLzu0Hnf9gzchVDYcby/JQlJ1kFgZ5yMiWEkWGRjoStga+1k
Tugn384oKncsbzjybgBd/CNxcHU7ryi6Zj0FQRa/l+C8Ay61etKmgD0I88OdNll+
0tB5EYsWj1+MVbt7+6UMYbEfHhyRrftEM3jstyz4SsQOwGGJ8L tmD+4XTEgoMDVr
5N43PwNpEkQNPpwMzOeAhennm/0IKU1BXe8UhhG46QY3SfFZ944fS0w9krVAeXu5
WBxN1SgwQwVehNYpkA7OdKl01OfOOOrtlE+JGiwLZjRzHJimW2 xXcXsLJghYX9F9
mLEj7ZAE97lkbvztf2+TachI9lLalphL9cuKzp+aQjherWq+JS 09XTQscfVvMDGU
9TY0x08LALilAoICAQCdNgkwSwpZ1Wle0bWP+twpUBK0f+bP/s/FRoW1i7thiphu
hDxlUda5NE+zGckBJ5Bd3JUssNNWiK5HJ0hY6/rV0J6zP7R26AAALRd9DVZTDHzj
GMvibEcJbV9Eyf7Nxdd2UYoH1X2OzwypEnaPJk2ISK5uD5ycOP 8ycOe4kLsSwVfj
t9lLxcYPVs+IGkoHWoOpLmtG16VkXO6bIBuVJdppvvASkGI3eU 7ejJTu3fM+RBvH
r0TG9o6s2LljGzNBI7zqi6WVl4okAl4LpSpjcg/mLnE6mKftJHj5jpuyywnTHSSl
IVOOX0XRZT9phlNxmK/JJbpmc2JVQ+M0mBzHBaFnJUVBr1u78MYD713yWZ8tZ9C6
fhmrWAWHoD0u6dHlCzQuxJDBAfRiLFPojY1seZnmH4twDb8sNH/Y7MKA4bxMiHaj
PwRWWsBVgq58g0PT72Rraxz7dcdUAxeZecSLU89Usn4LVG13vR 9lhtsbX1wj7Rdm
qYs/nxlz2OoIKr+CwumUFuhPCwqdzjVVHVyCEd9r6+ogC6oB8rK5ve +Fau75W6/Y
EciwGLw0wR2Fg6ESnOriCcG4ZSe2Q7f0v1JzZ4f40xPsk6aPFq 3T2gUXnuk3wA5e
/u689+ysQs+HlmlUkJB9dDCsGprGoiN+rrJWCm9QIGJOAlj8w7Z 1UuvGs7dHtQ==
"""
################################################## ###############################
# Build our initial encoded keys. We will need to rebuild them every time a new #
# authorized pre-authenticated session occurs due to us using a dynamic salt. #
# Having this section of code in both places will automatically expire keys #
# that are older than 1 minute of being issued without causing issues. #
################################################## ###############################
now = datetime.datetime.now() #Leaves this alone if you plan on using a time-based salt
salt = str(now.minute) #Create a salt that changes every minute. It may be predictable, but it changes often enough to ward off most attacks
securehash = SHA512.new(salt + knock_key) #Hash our knock_key with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.\
encoded_knock_key = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + open_command) #Hash our open_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_open_command = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + close_command) #Hash our close_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_close_command = securehash.hexdigest()
###########################################
# Initialize clean IPTables configuration #
###########################################
print "Backing up current IPTables configuration..."
os.system ("iptables-save > " + backup_directory) #Back rules up.
print "Flushing current IPTables configuration..."
os.system ("iptables -F") #Flush rules.
os.system ("iptables -X")
print "Creating a new default-deny policy...."
os.system ("iptables -A INPUT -i lo -j ACCEPT") #Allow loopback.
os.system ("iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP") #Drop addresses which won't use loopback.
os.system ("iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT") #Allow established inbound connections.
os.system ("iptables -A OUTPUT -j ACCEPT") #Allow outbound traffic. Modify this for your personal needs. This will work for most people.
os.system ("iptables -A INPUT -j DROP") #Drop all incoming connections.
os.system ("iptables -A FORWARD -j DROP") #DROP forwarded requests.
print "Your new IPTables configuration is now active! Loading Fort Knocks...."
####################################
# Set up the interface and filters #
####################################
pcap=pcap.pcap(interface, 65535, 1, 0) #Load up the specified interface for sniffing, limit to 65535 bytes per packet, enable promiscuous mode, immediate should be left as default.
pcap.setfilter("tcp") #Sniff all TCP traffic.
print 'listening on %s' % (pcap.name) #Let the user know everything is running and working as intended (Remove this when Fort Knocks is made into a daemon)
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data #Header
tcp = ip.data #Payload
src_ip = socket.inet_ntoa(ip.src) #decoded source IP address
dst_ip = socket.inet_ntoa(ip.dst) #Decoded destination IP address
if (tcp.dport == 4144 and tcp.sport == 4414): #Look for a very specific destination and source port (This is our generic "knock"). I will add a way to customize this easier later on
now = datetime.datetime.now() #Leaves this alone if you plan on using a time-based salt
salt = str(now.minute) #Create a salt that changes every minute. It may be predictable, but it changes often enough to ward off most attacks
securehash = SHA512.new(salt + knock_key) #Hash our knock_key with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.\
encoded_knock_key = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + open_command) #Hash our open_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_open_command = securehash.hexdigest()
securehash = SHA512.new(salt + encoded_knock_key + close_command) #Hash our close_command with a salt. The client will be sending information in this exact format, so this is how we get ready to detect it.
encoded_close_command = securehash.hexdigest()
if encoded_open_command in tcp.data: #Valid command
print "Command verification was successful! Granting access to the remote user!" #When this is a daemon it sill send messages like this to SYSLOG
os.system ("iptables -A INPUT -s " + src_ip + " -j ACCEPT") #Add rule
if encoded_knock_key and encoded_close_command in tcp.data: #Valid command
print "Command verification was successful! Revoking remote hosts access!" #When this is a daemon it sill send messages like this to SYSLOG
os.system ("iptables -D INPUT -s " + src_ip + " -j ACCEPT") #Remove rule
#3. Log everything
#4. Send notification to admin (NOT THE PERSON CONNECTING) that a new connection has been temporarily allowed.