Port knocking (PortKnocking.com ) is a good idea and all, I just believe it's overly complicated. The basic point is to only give away that your even running a service after authentication has taken place. Just replace the common accepted request, a SYN packet, with full authentication details. Before the sevice availability has even been confirmed. Has anyone here come accross something like this outside of rootkits?

I'd rather not have to extract it or write my own, raw sockets and/or libpcap is such a bother Besides all I want to do with it is play with it like I do everything else. It's just another layer in the attempt to pull no punches against a would be attacker.

More depth is always good.

I'll be honest with you all, a good while back I read Syngress's great book Stealing the Network: How to own the Continent.. Sendai's 'Shrax' root kit from chapter 6 by Fydor of Nmap fame is most inspiring. That part of the story is available for free direct from Fydor: at insecure.org if you haven't seen it. Chapter 13's also available from Syngress(Sample - Chapter13 ) in case you like more random hacker stories check the other book out too if you like. The stealth communication and control is my focus.

The HoneyNet Project does have some of the more interesting tidbits of this approach included in their Sebek tool. It's basically a heavily modified version of a common rootkit. It includes all sorts of crazy stuff on top of taking control of the most basic functions of the networking stack, hooking the read call. It doesn't so mutch perform the function being disscussed though.


Thanks in advanced for any suggestions you can make,

Jon.