You’ve achieved code execution on a machine, but for some reason your reverse shell isn’t pinging you back. Or that wget/tftp command isn’t downloading your recon/post-exploitation tools. There’s a chance you’re dealing with an egress problem. Typical ports that need outboud access are blocked. You try the main ones you can think of (21, 22, 53, 80, 8080, 443), but none of them seem to be connecting. Do you start at 1 and manually test? NO! The hallmarks of any decent programmer/hacker is laziness. So let’s get lazy.
There’s a few methods to achieve this, but at each of their cores, these 2 things are happening.
- The attacking machine (18.104.22.168) needs to listen for something on every port.
- Your victim machine (22.214.171.124.) needs to try to hit your machine on every port.
netcat and iptables
For the attacker
Set all ports to redirect to a listener you’ve started.
iface=eth0 ip=126.96.36.199 lport=8080 iptables -t nat -A PREROUTING -i $iface -p tcp --dport 1:65535 -j DNAT --to-destination $ip:$lport nc -nvlp $lport
For the victim machine
for port in (1..1000); do echo "Trying $port" nc -z -w1 188.8.131.52 $port done
Netcat DOES accept ranges, so the following also works:
nc -w1 184.108.40.206 1-1000. I usually find
that the bash loop’s logging makes it easier to ID what worked if you walk away for a bit while it
If you have a GUI available on the attacking machine, you can repeat the above scenario, but substitute the iptables and nc commands for wireshark with a sane filter; something like
ip.src == 220.127.116.11
You should be able to watch the window for incoming packets and determine on which port the victim machine was able to connect.
If you’ve the ability to get files onto the target machine, the most robust option is egress-buster. The readme does a great job explaining usage, but it’s basically the first method, using iptables and python. It consists of two scripts, a client and a server. It also has an option to automatically start the reverse shell once it finds an available outgoing part.