Tuesday, October 20, 2020

Wireshark - Filtering for a Port Knocking sequence

In a recent CTF, I was required to analyze a .pcapng file to find a Port Knocking sequence. I didn't know an easy way to do this, and Google only gave up some half useful answers, so after a bit of research, I decided to write this post in the hopes that someone may stumble upon it in the future :)

Filter: (tcp.flags.reset eq 1) && (tcp.flags.ack eq 1)


Before


After


Make sure that the order number is correct (The "No." column goes from lowest to highest), and read the Port number on the left in the "Info" column.

In this case, the sequence is 7864, 8273, 9241, 12007, 60753, so a:

> knock 10.10.35.61 7864 8273 9241 12007 60753 -t 500

Would get you what you need. 

I found that sometimes you might need to knock 2 or 3 times before the filtered port opens for some reason, but there you go!