Has anyone found a way to build a port-knocking listener with cryptographic hash checking (to prevent sniffing/replay attacks) for RouterOs/Mikrotik?

it would need to be something for which a client can be built on Linux/Mac and also Android and iOS clients.

http://www.cipherdyne.org/fwknop/docs/SPA.html describes such a scheme in general using a tool called fwknop..

Not sure how one would build the daemon for this in routeros. It would require the ability to call a script from a firewall rule (with the packet as parameter) and then a script like http://forum.mikrotik.com/viewtopic.php?t=62895.

The script called from the packet filter could then hash a known password,timestamp etc and compare the result with the received packet data.if successful, the source address of the packet coudl be added to an address-list for a while to allow access..

Port knocking on mikrotic is described here:
http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router

No - there's no port knock listener process on Mikrotik, so you can't do a one packet crypto-knock.

You could make the default NAT rule for sources not in "knock-auth" list cause all traffic to be dst-nat to a host which can listen - some crypto-knock schemes use all un-bound ports to listen, and the destination port can be significant as well.....

Anyway, you could make the crypto-knock listener, upon successful knock received, send another knock to the inside address of the Mikrotik - one which would be filtered from arriving via the WAN, so no crypto is required.... then THAT knock opens the ports..... (or instead of an insider knock, use an API client, or an ssh script - whatever means you require)

I have actually looked at this myself. Unfortunately there is nothing baked in that you have access to to do the security part of it and scripting isn't powerful enough.