How to Check CISCO for SYNful Knock

How to Check CISCO for SYNful Knock

FireEye has discovered a modification of the CISCO’s router firmware image, dubbed SYNful Knock that can be used to maintain persistence within a victim’s network. Meaning that SYNful Knock is practically a backdoor which is already used by hackers around the world.

FireEye has introduced several resources to check your company’s network for this vulnerability and quickly fix the issue. And in this post we would like to share those findings with you.

First of all, there are two ways of checking for SYNful Knock: Python way and Nmap way, it all depends on what suits you more.

Python way

Head to FireEye’s Github and download This script sends a crafted TCP SYN packet and analyses the SYN/ACK response for indications of an implant. The script relies on the Scapy packet manipulation library for processing, sending and receiving packets. The scanning process uses several scan threads and a single thread for collecting the responses.  If you don’t have scapy yet on your system then go to Installation guidelines.

After you are finished with installation process and your system is good to go you will need to execute a python script with the following command:

python ./ -d

Where -d indicated IPs to scan.

The output you receive should be similar to this:

2015-09-17 14:01:49,760 190 INFO Sniffer daemon started
2015-09-17 14:01:49,761 218 INFO Sending 2 syn packets with 10 threads
2015-09-17 14:01:50,188 110 INFO - Found implant seq: 6676e09 ack: 66735bcd
2015-09-17 14:01:51,190 225 INFO Waiting to complete send
2015-09-17 14:01:51,190 227 INFO All packets sent


Visit FireEye Github and download synfulknock.nse and packet2.lua. Place .nse file in nmap/scripts and .lua to nmap/nselib. Since the NSE packet library does not allow the user modification of ACK values, the library needs to be modified to allow for this capability. You need to add following strings to packet.lua and packet2.lua:

> --- Set the TCP acknowledgment field.
> -- @param new_ack Acknowledgment.
> function Packet:tcp_set_ack(new_ack)
>   self:set_u32(self.tcp_offset + 8, new_ack)
>   self.tcp_ack = new_ack
> end

If you did everything right the last thing you need to do is to execute this command within nmap/zenmap:

nmap -sS -PN -n -T3 -p 80 --script="SYNfulKnock"

If the result is similar to following than a CISCO devices is infected:

-- | SYNfulKnock:
-- | seq = 0x7528092b
-- | ack = 0x75341b69
-- | diff = 0xc123e
-- | Result: Handshake confirmed. Checking flags.
-- | TCP flags: 2 04 05 b4 1 01 04 02 1 03 03 05
-- |_Result: Flags match. Confirmed infected!


If your devices prove to be compromised then you are advised to download official image from Cisco and reimage the device. Ensure the new image hash values match and then harden the device to prevent future compromise.

There is a high possibility that the initial compromise took place due to default credentials or the discovery of such credentials. In case if the router was not using default passwords, you should definitely check other devices too because exploitation might have occurred from different sources


  1. Alxgarder September 21, 2015
  2. Alex Alborzfard September 18, 2015
  3. Alex Alborzfard September 17, 2015
    • Nikoloz Kokhreidze September 17, 2015

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.