Program

/

CODE BLUE 2025

Contests/Workshops

Whispers Through the Firewall: Data Exfiltration and C2 with Port Knocking

In this workshop, attendees will use Saucepot C2 in conjunction with the MITRE ATT&CK techniques to conduct specific Red Team activities

Workshop Outline

  • Title

    Whispers Through the Firewall: Data Exfiltration and C2 with Port Knocking

  • Date

    Nov. 18th 10:00-17:30
    Nov. 19th 10:00-16:00

  • Event Schedule

    TBA

  • Venue

    ROOM 1

  • Registration

    Anyone who attends CODE BLUE , on site

  • Presents

    Hubert Lin

  • Abstract

    Port knocking is a stealthy network authentication technique (T1205.001) in which a client sends a specific sequence of connection attempts (or """"knocks"""") to closed ports on a server. When the correct sequence is received, the server dynamically opens a port or triggers an action, enabling concealed access or communication. Saucepot C2 elevates the port knocking technique to a new level. Instead of using destination ports (DstPorts) in TCP sessions as knock sequences, it leverages source ports (SrcPorts), also known as ephemeral ports. This approach allows data exfiltration even in highly restrictive firewall environments where only a single outbound port, such as port 443, is allowed.

    In this workshop, attendees will use Saucepot C2 in conjunction with the following MITRE ATT&CK techniques to conduct specific Red Team activities:

    Technique IDTechnique NameTactic
    T1041Exfiltration Over C2 ChannelExfiltration
    T1071.001Application Layer Protocol: WebCommand and Control
    T1205.001Traffic Signaling: Port KnockingCommand and Control / Defense Evasion


    Saucepot C2 has been open-sourced at
    https://github.com/netskopeoss/saucepot.
    Supported commands or features in Sacuepot C2 include:
    - Check-in / heartbeat
    - Directory listing
    - Process listing
    - File upload


    Workshop Exercises:
    Exercise 1: Traditional Port Knocking
    Exercise 2: Ephemeral Port Checker
    Exercise 3: Data Exfiltration
    Exercise 4: Command-and-Control Operations
    Exercise 5: Observation of Anomalies at L4 and L7