https://reverse.put.as/tags/port-knocking/ Recent content in port knocking on Reverse Engineering Hugo -- gohugo.io en-us reverser@put.as (fG!) reverser@put.as (fG!) &copy; 2025 fG! Fri, 17 Dec 2021 14:20:59 +0000 https://reverse.put.as/2021/12/17/knock-knock-whos-there/ Fri, 17 Dec 2021 14:20:59 +0000 reverser@put.as (fG!) https://reverse.put.as/2021/12/17/knock-knock-whos-there/ <p>Back in 2017 (feels like ages ago) I decided to take a peek into the ShadowBrokers leaks and reverse some of the tools.</p> <p>I started on <code>dewdrop</code> simply because it had a macOS version. I made local presentations at <a href="https://www.meetup.com/0xOPOSEC/">0xOpoSec</a> and <a href="https://www.bsideslisbon.org">BSidesLisbon</a> but those slides were never published for obvious reasons (aka live implants all over the Internet).</p> <p>Significant time has passed and everyone went crazy last week with the beautiful <a href="https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html">NSO exploit VM</a> published by Project Zero, so why not ride the wave and present a simple NSA BPF VM. It is still an interesting work and you have to admire the great engineering that goes behind this code. It&rsquo;s not everyday that you can take a peek at code developed by a well funded state actor.</p> <p>This post is only going to focus on the BPF part of the implant so you will have to fill in the blanks about everything else.</p>