Whispers Through the Firewall: Data Exfiltration and C2 with Port Knocking
Join our workshop to explore port knocking. This method allows covert C2 and data exfiltration in restricted environments. Hands-on exercises with MITER ATT&CK techniques will cover hidden access, file transfer, and bidirectional C2, providing practical skills for Red Team operations.

Workshop Outline
-  Title Whispers Through the Firewall: Data Exfiltration and C2 with Port Knocking 
-  Date Nov. 18th 10:00-17:30 
 Nov. 19th 10:00-16:00
-  Event Schedule TBA 
-  Venue ROOM 1 
-  Registration Anyone who attends CODE BLUE , on site 
-  Presents Hubert Lin 
-  Abstract Port knocking is a stealthy network authentication technique (T1205.001) in which a client sends a specific sequence of connection attempts (or """"knocks"""") to closed ports on a server. When the correct sequence is received, the server dynamically opens a port or triggers an action, enabling concealed access or communication. Saucepot C2 elevates the port knocking technique to a new level. Instead of using destination ports (DstPorts) in TCP sessions as knock sequences, it leverages source ports (SrcPorts), also known as ephemeral ports. This approach allows data exfiltration even in highly restrictive firewall environments where only a single outbound port, such as port 443, is allowed. 
 In this workshop, attendees will use Saucepot C2 in conjunction with the following MITRE ATT&CK techniques to conduct specific Red Team activities:Technique ID Technique Name Tactic T1041 Exfiltration Over C2 Channel Exfiltration T1071.001 Application Layer Protocol: Web Command and Control T1205.001 Traffic Signaling: Port Knocking Command and Control / Defense Evasion 
 Saucepot C2 has been open-sourced at
 https://github.com/netskopeoss/saucepot.
 Supported commands or features in Sacuepot C2 include:
 - Check-in / heartbeat
 - Directory listing
 - Process listing
 - File upload
 
 Workshop Exercises:
 Exercise 1: Traditional Port Knocking
 Exercise 2: Ephemeral Port Checker
 Exercise 3: Data Exfiltration
 Exercise 4: Command-and-Control Operations
 Exercise 5: Observation of Anomalies at L4 and L7
-