“Egress Buster” – Find outbound ports

A friend was recently on a penetration test and needed a port on the outside. I haven’t found any decent tools out there for finding what ports are allowed outbound to help with reverse shells and stuff like that so I wrote one real quick. Note that this was written in about 15 minutes and the code can absolutely be improved. I’ll probably go back and clean it up sometime. There are some limitations, for one, operating systems in general start to puke when you generate over a 1000 listeners, so you will need to test a 1000 at at time. Good news is the socket handlers are multi-threaded so you can cycle through about a 1000 ports in well under a minute. Here’s the general concept:
You are on the inside network somehow and need to find what ports are allowed out to the Internet. There’s two main files/components – egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener.
Very simple to run:
On victim:

egressbuster.exe  
example: egressbuster.exe 208.1.1.1 1-1000

In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is.
The listener:

python egress_listener.py 
example: python egress_listener.py 1-1000

In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side.

192.168.235.131 connected on port: 170
192.168.235.131 connected on port: 171
192.168.235.131 connected on port: 172
192.168.235.131 connected on port: 173
192.168.235.131 connected on port: 174
192.168.235.131 connected on port: 175
192.168.235.131 connected on port: 176
192.168.235.131 connected on port: 177
192.168.235.131 connected on port: 178

If your interested, download the byte compiled code and the python source here.

How To Count The Number Of Hosts In NMAP Network Scan Results With Zenmap

Earlier today while working with a friend at our offices we were playing around with a large NMAP scan of the anoNet network. His computer would not open the network topology in Zenmap because of a lack of RAM so we were looking at it on another laptop with much more RAM. After discussing it for a little bit we were curious how many hosts had been discovered on anoNet but initially I didn’t see an easy way to get this information. Use the information below for a quick count of hosts in Zenmap discovered via a NMAP scan.

Count Number Of Hosts Located Via NMAP Scan With Zenmap GUI

1. Open Zenmap: First open the Zenmap GUI. On Windows 7 you can accomplish this by typing zenmap in the Search Programs and Files field in your Windows 7 Start Menu and then typing enter which will launch the Zenmap GUI as shown in the below example image.
   
   
2. Open NMAP Scan Results: Now click Scan in the top navigation menu and select Open Scan In This Window from the drop down menu as shown in the below image.
   
   
   Browse to the location of the scan results file such as scan-results.xml and open the file which will provide a view similar to the below example window in Zenmap.
   
   
3. Zenmap Filter Hosts: Select Tools from the top navigation menu and select Filter Hosts from the drop down menu as shown in the below example image.
   
   
   
   Once Filter Hosts has been selected a new bar will show at the bottom of Zenmap as shown in the below example image.
   
   
   At the beginning of this new bar it will show how many hosts are being displayed in the total number of hosts of the NMAP scan. In this example there were 2,693 hosts found on anoNet.
   

So it was extremely easy to display the total number of hosts in a NMAP scan via Zenmap but I wanted to note since there is no menu item that specifically states display the total number of hosts.

Thanks Alex from question-defense.com for this and it give me an idea to do something