Whispers Through the Firewall: Data Exfiltration and C2 with Port Knocking
In this workshop, attendees will use Saucepot C2 in conjunction with the MITRE ATT&CK techniques to conduct specific Red Team activities
Workshop Outline
-
Title
Whispers Through the Firewall: Data Exfiltration and C2 with Port Knocking
-
Date
Nov. 18th 10:00-17:30
Nov. 19th 10:00-16:00 -
Event Schedule
TBA
-
Venue
ROOM 1
-
Registration
Anyone who attends CODE BLUE , on site
-
Presents
Hubert Lin
-
Abstract
Port knocking is a stealthy network authentication technique (T1205.001) in which a client sends a specific sequence of connection attempts (or """"knocks"""") to closed ports on a server. When the correct sequence is received, the server dynamically opens a port or triggers an action, enabling concealed access or communication. Saucepot C2 elevates the port knocking technique to a new level. Instead of using destination ports (DstPorts) in TCP sessions as knock sequences, it leverages source ports (SrcPorts), also known as ephemeral ports. This approach allows data exfiltration even in highly restrictive firewall environments where only a single outbound port, such as port 443, is allowed.
In this workshop, attendees will use Saucepot C2 in conjunction with the following MITRE ATT&CK techniques to conduct specific Red Team activities:Technique ID Technique Name Tactic T1041 Exfiltration Over C2 Channel Exfiltration T1071.001 Application Layer Protocol: Web Command and Control T1205.001 Traffic Signaling: Port Knocking Command and Control / Defense Evasion
Saucepot C2 has been open-sourced at
https://github.com/netskopeoss/saucepot.
Supported commands or features in Sacuepot C2 include:
- Check-in / heartbeat
- Directory listing
- Process listing
- File upload
Workshop Exercises:
Exercise 1: Traditional Port Knocking
Exercise 2: Ephemeral Port Checker
Exercise 3: Data Exfiltration
Exercise 4: Command-and-Control Operations
Exercise 5: Observation of Anomalies at L4 and L7 -