February 29, 2012
New tool release - "Egress Buster" - Find outbound ports
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
A friend was recently on a penetration test and needed a port on the outside. I haven't found any decent tools out there for finding what ports are allowed outbound to help with reverse shells and stuff like that so I wrote one real quick. Note that this was written in about 15 minutes and the code can absolutely be improved. I'll probably go back and clean it up sometime. There are some limitations, for one, operating systems in general start to puke when you generate over a 1000 listeners, so you will need to test a 1000 at at time. Good news is the socket handlers are multi-threaded so you can cycle through about a 1000 ports in well under a minute. Here's the general concept:
You are on the inside network somehow and need to find what ports are allowed out to the Internet. There's two main files/components - egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener.
Very simple to run:
On victim:
egressbuster.exe
example: egressbuster.exe 208.1.1.1 1-1000
In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is.
The listener:
python egress_listener.py
example: python egress_listener.py 1-1000
In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side.
192.168.235.131 connected on port: 170
192.168.235.131 connected on port: 171
192.168.235.131 connected on port: 172
192.168.235.131 connected on port: 173
192.168.235.131 connected on port: 174
192.168.235.131 connected on port: 175
192.168.235.131 connected on port: 176
192.168.235.131 connected on port: 177
192.168.235.131 connected on port: 178
If your interested, download the byte compiled code and the python source here.