TCP Bind Listener¶
The TCP bind listener provides a raw TCP transport for peer-to-peer beacon pivoting. Unlike SMB named pipes which require SMB (port 445), TCP bind listeners operate on arbitrary TCP ports, making them useful in environments where SMB is filtered but custom TCP ports are accessible.
MITRE ATT&CK
TCP bind pivoting maps to T1572 - Protocol Tunneling.
Configuration¶
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | string | Yes | -- | Display name for the listener |
type | string | Yes | -- | Must be "tcp_bind" |
relay_id | UUID | Yes | -- | Relay hosting the listener |
port | int | Yes | -- | TCP port to bind |
guardrails | object | No | -- | Beacon filtering rules (hostname, IP, username patterns) |
Create a TCP Bind Listener¶
curl -s -X POST https://stentor.app/api/v1/listeners \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "TCP Pivot",
"type": "tcp_bind",
"port": 4444,
"relay_id": "RELAY_UUID"
}'
P2P Wire Protocol¶
TCP bind uses a binary wire protocol for beacon communication:
| Message Type | ID | Direction | Description |
|---|---|---|---|
P2PCheckin | 1 | Beacon → Relay | Beacon heartbeat / check-in |
P2PCheckinResp | 2 | Relay → Beacon | Relay response with beacon ID |
P2PGetTask | 3 | Beacon → Relay | Request pending tasks |
P2PTaskResp | 4 | Relay → Beacon | Deliver task data |
P2PSubmitResult | 5 | Beacon → Relay | Submit task output |
P2PResultAck | 6 | Relay → Beacon | Acknowledge result receipt |
Wire format: [type (1 byte)] [length (4 bytes, big-endian)] [payload (N bytes)]
Beacon Linking¶
Connect to a TCP bind beacon from a parent beacon:
Disconnect a linked child:
Use Cases¶
- SMB-filtered networks: When port 445 is blocked between segments but custom TCP ports are allowed
- Non-Windows targets: TCP bind doesn't require Windows SMB stack
- Custom port pivoting: Bind on ports that blend with expected traffic (e.g., 8080, 3389)
OPSEC Considerations
- Opens a listening TCP port on the relay -- detectable via port scanning
- Raw TCP traffic without TLS may be inspected by network monitoring
- Consider using HTTPS or SMB listeners for environments with deep packet inspection