Also, you can use ICMP with custom packet size and you can ping (ping -l for Windows or ping -s for linux) from any OS without installing extra software. Packet size to ping should be packet size - 28 bytes (IP Header + ICMP Header).
The timeout isn't very clear in the firewall GUI (web and Winbox), by default you can just choose "non dynamic" or "non static". Because of this video I've learned that you can also use any times you like. Thanks.
Please do a new series of videos about vlans. Each episode should start of selecting devices to method, theory about that method, example configuration for Access/Tagged/Hybrid and Trunk - those on one device only, and how use those vlans on /ip/address to reach them, how use that method with bonding and Q&Q. I hope you can stop this series on 6 episodes bcs I know at least 6 way of creating vlans and each should be shorter then 1h. I hope you clear all stuff about VLAN on MikroTik by that videos, I wait for that video series. Remember, Hybrid port are for wifi AccessPoint very very important.
Love the video! Would love to see what you were talking about towards the end regarding a passphrase on top of this great trick! Love the contrast as always you all are incredible!
Just going to leave this here if you google around a bit you'll find a slide show that has an example of how you do this. The key takeaways is that you create a layer 7 rule to match the passphrase along with the knocks. Then so long all matches you'll get in. Haven't added that part, but will be trying it later. I'll add another comment or edit my original with the syntax.
Instead of configuring port ranges to secure the knocking you can use this line before to block port scanners add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list=\ "port scanners" add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input \ comment="Port scanners to list " in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp \ psd=21,3s,3,1
In general I fail to see the need for port knocking now that MT has wireguard built-in. Druvis, when is port knocking useful (better option than wireguard)???
Wireguard ports seem to be undetectable by port scan due to the use of UDP and PKI, but you might not always want to run everything through it. Or maybe you are restricted to using some weaker tunneling protocols - you could then hide those with port knocking.
Interesting. But you know what? Your (I suppose bash) `for` loop at 10:00 has in fact single item, which was interpreted as list in single `nmap` command.
@@Problembaer4 if you put those rules for black listing in prerouting... I assure you it will catch incoming connections. My f--koff list is generated there.
@@ChrisNicholson then you need the define the DST-IP (the Router-IP itself) somehow. Via the input-chain, the routing-decision was already done. So yeah, I think both ways are possible but for most people the firewall is easier to understand as a "prerouting" chain.
Wrote this .bat script to protect my ports. Works only with windows: @echo off set target_ip=11.22.33.44 set /a PacketSize1=111 set /a PacketSize2=222 set /a PacketSize3=333 set ip=%target_ip% set /a size1=%PacketSize1%-28 set /a size2=%PacketSize2%-28 set /a size3=%PacketSize3%-28 set info=IP is: %ip%, ICMP size: %size1%, %size2%, %size3%; echo %info% CLS ping %ip% -l %size1% -n 2 CLS ping %ip% -l %size2% -n 2 CLS ping %ip% -l %size3% -n 2 CLS @echo off REM 2 sec hold ping -n 2 localhost>nul exit
![Port Knocking Attack | Ryan's CTF [17] Knock-Knock FINALE](http://i.ytimg.com/vi/sOy6pU8CaCU/mqdefault.jpg)
Also, you can use ICMP with custom packet size and you can ping (ping -l for Windows or ping -s for linux) from any OS without installing extra software. Packet size to ping should be packet size - 28 bytes (IP Header + ICMP Header).
Very nice by You at Mikrotik! It opened up a really nice feature! Thanks!!!!
The timeout isn't very clear in the firewall GUI (web and Winbox), by default you can just choose "non dynamic" or "non static". Because of this video I've learned that you can also use any times you like. Thanks.
Very thanksful Eng Druvis..! 🌹🙏
Nice presentation. Thanks
Please do a new series of videos about vlans. Each episode should start of selecting devices to method, theory about that method, example configuration for Access/Tagged/Hybrid and Trunk - those on one device only, and how use those vlans on /ip/address to reach them, how use that method with bonding and Q&Q. I hope you can stop this series on 6 episodes bcs I know at least 6 way of creating vlans and each should be shorter then 1h. I hope you clear all stuff about VLAN on MikroTik by that videos, I wait for that video series. Remember, Hybrid port are for wifi AccessPoint very very important.
Love the video! Would love to see what you were talking about towards the end regarding a passphrase on top of this great trick!
Love the contrast as always you all are incredible!
See link in description, it has that step
When I try viewing that in your documentation it just reveals rand string of characters.
@@mikrotik I see only random string there - "VGhlbiBjcmVhdGUg....."
Just going to leave this here if you google around a bit you'll find a slide show that has an example of how you do this. The key takeaways is that you create a layer 7 rule to match the passphrase along with the knocks. Then so long all matches you'll get in. Haven't added that part, but will be trying it later. I'll add another comment or edit my original with the syntax.
@@xtlmeth mum.mikrotik.com/presentations/US10/discher.pdf
did that some years ago. works pretty good
btw. druvis seems to be quite a fast typer ;)
He is your have to pay attention and flow in same frequency as his .
Please do cover the passphrase thing in a coming video. Thank you :)
Instead of configuring port ranges to secure the knocking you can use this line before to block port scanners
add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input \
comment="Port scanners to list " in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp \
psd=21,3s,3,1
Good point, but if you do it as in the video, it doesn't matter if someone is using cookie cutter scanning or if they are targeting specific ports.
Nice! Please consider adding Single Packet Authorization (fwknop) instead of the archaic port knocking method.
Well... that looks like nice thing.
In general I fail to see the need for port knocking now that MT has wireguard built-in. Druvis, when is port knocking useful (better option than wireguard)???
Wireguard ports seem to be undetectable by port scan due to the use of UDP and PKI, but you might not always want to run everything through it. Or maybe you are restricted to using some weaker tunneling protocols - you could then hide those with port knocking.
👏👏👏
Interesting. But you know what? Your (I suppose bash) `for` loop at 10:00 has in fact single item, which was interpreted as list in single `nmap` command.
Hey Druvis, the "low" part of "allow" is prounced like "loud" without the end "d" sound.
Why not put this in prerouting of mangle?
I think you cannot allow acces to the router itself (input-chain) via magling.
@@Problembaer4 if you put those rules for black listing in prerouting... I assure you it will catch incoming connections. My f--koff list is generated there.
@@ChrisNicholson then you need the define the DST-IP (the Router-IP itself) somehow. Via the input-chain, the routing-decision was already done. So yeah, I think both ways are possible but for most people the firewall is easier to understand as a "prerouting" chain.
@@Problembaer4 I use the wan interface.
Knock, Knock, Who's there ?
cAP ax
Actually it's Druvis
666.
Lol, Druvis.
knock knock, who's there?
isis
Wrote this .bat script to protect my ports. Works only with windows:
@echo off
set target_ip=11.22.33.44
set /a PacketSize1=111
set /a PacketSize2=222
set /a PacketSize3=333
set ip=%target_ip%
set /a size1=%PacketSize1%-28
set /a size2=%PacketSize2%-28
set /a size3=%PacketSize3%-28
set info=IP is: %ip%, ICMP size: %size1%, %size2%, %size3%;
echo %info%
CLS
ping %ip% -l %size1% -n 2
CLS
ping %ip% -l %size2% -n 2
CLS
ping %ip% -l %size3% -n 2
CLS
@echo off
REM 2 sec hold
ping -n 2 localhost>nul
exit
fool consol use