It appears that SYNful Knock is still a matter of interest to serious computing professionals as I am getting hits referred from Google on my website searching for information on it.
Cisco, via their Talos Intel group, have released a tool to scan routers for the presence of SYNful Knock.
The tool will only scan for signatures of a specific instance of SYNful Knock.
From the Talos download page :-
” This tool can only detect hosts responding to the malware “knock” as it is known at a particular point in time”
As far as I know, the tool only works on Linux.
You will require tcpdump.
You will require Scapy from SecDev.
You will require Python 2.7.
You could use Docker .
Please download the tool HERE.
PLEASE READ THE README.TXT FILE WHICH ACCOMPANIES THE TOOL.
From the README.txt which accompanies the .tgz
Scans devices and networks for routers answering the SYNful Knock malware.
Note that this tool can only detect hosts responding the malware “knock”
as it is known at a particular point in time. This tool can be used to
help detect and triage known compromises of infrastructure, but it can
not establish that your network does not have malware that might have
evolved to use a different set of signatures.
The scan tool depends on python 2.7 along with the
`scapy` <http://www.secdev.org/projects/scapy/> packet manipulation
library. Scapy has minimal system dependencies, but it does
perform better when the `tcpdump` utility is installed.
Scapy version 2.3.1 was used and tested during development. Older versions
(such as those found in distribution’s package repositories) may also work.
### Debian / Ubuntu
$ sudo apt-get install python2.7 tcpdump
$ sudo pip install scapy==2.3.1
The tool works fine within a virtualenv as well.
The script has been tested to run well within a docker (http://docker.io)
container. Included in the source distribution is a Dockerfile for building
your own container. You will also be able to run the script straight off the
docker image registery.
The image utilizes the scan script as the container entrypoint, meaning
invocation is as simple as:
# docker run –rm synknockscan -v TARGETS
The tool is unable to receive a target list over standard input when
launched through docker, so if you have a list of targets, specify the
list as a docker volume:
# docker run –rm -v PATH_OF_TARGETLIST:/tmp/targets synknockscan -v –scan-file /tmp/targets
The tool uses raw packets injected on the interface and reads custom
crafted packets. Consequently, it will likely need to be run as `root`.
Provide a list of networks (either individual IPs or netbocks with
CIDR network prefixe lengths) on the commandline as parameters, in a
whitespace separated file (specified via –scan-file option).
The -v option can be used to enable more detailed status updates. Without -v,
only hosts that are responding to the SYNful Knock will be emitted to stdout.
With -v, more detail is provided on how the replies failed to match the knock
handshake. It is possible that when running with -v, you will see packets that
are unrelated to the SYNful Knock scan being processed. This is not a cause for
alarm. These packets are likely just background network traffic that were
analyzed by the response listener.
If you are scanning from a multi-homed host, the packets should originate from the
interface associated with the first default route. If you’d like to specify an
alternate interface to utilize, use –iface.
Cisco Product Security Incident Response Team (PSIRT)
The Cisco Product Security Incident Response Team is a dedicated, global
team that manages the receipt, investigation, and public reporting
of security vulnerability information related to Cisco products and
networks. Cisco PSIRT provides security advisories, security responses,
and security notices. The PSIRT team is available around the clock
to identify possible security issues in Cisco products and networks.
For immediate emergency assistance, contact the 24 hour a day PSIRT
dedicated hotline at 877 228-7302 or 408 525-6532. For emergency
assistance on this issue via e-mail, contact email@example.com and
reference SYNful Knock in the Subject line.
To receive non-emergency assistance or report suspected security-related
issues with Cisco products, contact firstname.lastname@example.org.