Contests/Workshops

Whispers Through the Firewall: Data Exfiltration and C2 with Port Knocking

Nov. 18th 10:00-17:30

ROOM 1

Anyone who attends CODE BLUE , on site

Hubert Lin

Port knocking is a stealthy network authentication technique (T1205.001) in which a client sends a specific sequence of connection attempts (or """"knocks"""") to closed ports on a server. When the correct sequence is received, the server dynamically opens a port or triggers an action, enabling concealed access or communication. Saucepot C2 elevates the port knocking technique to a new level. Instead of using destination ports (DstPorts) in TCP sessions as knock sequences, it leverages source ports (SrcPorts), also known as ephemeral ports. This approach allows data exfiltration even in highly restrictive firewall environments where only a single outbound port, such as port 443, is allowed.

In this workshop, attendees will use Saucepot C2 in conjunction with the following MITRE ATT&CK techniques to conduct specific Red Team activities:

Technique ID	Technique Name	Tactic
T1041	Exfiltration Over C2 Channel	Exfiltration
T1071.001	Application Layer Protocol: Web	Command and Control
T1205.001	Traffic Signaling: Port Knocking	Command and Control / Defense Evasion

Saucepot C2 has been open-sourced at
https://github.com/netskopeoss/saucepot.
Supported commands or features in Sacuepot C2 include:
- Check-in / heartbeat
- Directory listing
- Process listing
- File upload


Workshop Exercises:
Exercise 1: Traditional Port Knocking
Exercise 2: Ephemeral Port Checker
Exercise 3: Data Exfiltration
Exercise 4: Command-and-Control Operations
Exercise 5: Observation of Anomalies at L4 and L7