Something that is often useful is a known-good. Something out of the control of your adversary or outside modifiers. But back to that in a sec, egress ‘busting’ or getting your payload/backdoor/trojan/c2 out of someone’s network once you’ve gotten that ever elusive “CODE EXECUTION HAPPY DANCE” going on isn’t always easy. There is even a Metasploit payload for it called ‘allports’:
There is also ‘Egress Buster’ by the guys over at TrustedSec which can do 1000 ports in just a few seconds:
https://www.trustedsec.com/july-2012/egress-buster-reverse-bypassav/
The problem I find with these tools is that they are still straight TCP. *(Yes, yes I know most networks still allow some ports directly outbound) and these tools are still quite valid. During the span between these two tools being released, MrB released a site that listens on all 65k ports: http://open.zorinaq.com/about/
Figured I should merge these ideas and add a few more capabilities (and show you how I did it so you can do so yourself), and so LetMeOutOfYour.net was born.
You can hit any subdomain or hostname of letmeoutofyour.net on any port with any HTTP Verb for any resource (web page or folder) and you will always receive a ‘w00tw00t’ back.
For example this request (removed the unimportant headers on the request to save space):
1 2 3 4 | |
Will result in this:
1 2 3 4 5 6 7 8 9 10 11 12 | |
All of those headers are standard Apache headers with the content being just ‘w00tw00t’. Making the connection an HTTP one opens a few doors to things like proxies. It’s ok to cackle at this point.
In the following parts I’ll show you how to build the server itself and a binary to find it’s way out of networks. Feel free to point your own domains at the IP it’s hosted on, it can handle it. Have a try, I know you want to:
http://youshouldreally.letmeoutofyour.net/before/i/get/angry/and/youwouldntlikemewhenimangry.asp