Thursday, June 28, 2012

“Egress Buster” – Find outbound ports

A friend was recently on a penetration test and needed a port on the outside. I haven’t found any decent tools out there for finding what ports are allowed outbound to help with reverse shells and stuff like that so I wrote one real quick. Note that this was written in about 15 minutes and the code can absolutely be improved. I’ll probably go back and clean it up sometime. There are some limitations, for one, operating systems in general start to puke when you generate over a 1000 listeners, so you will need to test a 1000 at at time. Good news is the socket handlers are multi-threaded so you can cycle through about a 1000 ports in well under a minute. Here’s the general concept:
You are on the inside network somehow and need to find what ports are allowed out to the Internet. There’s two main files/components – egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener.
Very simple to run:
On victim:

example: egressbuster.exe 1-1000

In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is.
The listener:

example: python 1-1000

In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side. connected on port: 170 connected on port: 171 connected on port: 172 connected on port: 173 connected on port: 174 connected on port: 175 connected on port: 176 connected on port: 177 connected on port: 178

If your interested, download the byte compiled code and the python source here.

1 comment:

  1. Firebind can do everything above and do it for any or all 64k TCP or UDP ports.