thoughts go here
Egress controls can help mitigate various attack scenarios, mostly ones related to some form of Social Engineering. For instance, if an attacker is able to execute a payload on a victim machine that calls back to a command and control center, restrictive filtering can help prevent the successfulness of the payload by not allowing traffic outbound on the designed port. This isn’t a silver bullet, as most sophisticated payloads will be proxy aware or will be able to call out on multiple ports. However, proper egress controls are still important.
Hopefully, you can adequately review your outbound filtering by simply reviewing your firewall configurations. But, just like everything, you should test these controls to make sure something hasn’t slipped through the cracks. A coworker (Dan Kottmann) and myself wrote egscape to perform this type of testing.
Egscape consists of two pieces, a client and a sniffer.
The client is written in .NET and is a simple cli based port scanner. Side note, C# has some incredibly powerful features. During development, I wanted to implement a thread pool with a queue, this took 2 lines of code. Still not a fan, and I will probably never using .NET unless I have to, but that’s pretty neat. Anyway, back on topic. Egscape has options for TCP, UDP, and proxy scanning. The proxy scanning option sends requests on each port through your proxy via a web request, so you can verify those controls as well. It’s not as optimized as it could be, but it gets the job done. A good replacement if you’re looking for something faster for TCP and UDP would be Nmap.
The sniffer is written in Python and utilizes Scapy. Important distinction between egscape and other tools of this nature is that egscape simply sniffs for incoming packets, where as similar tools actually create a TCP listener on every port. The sniffer must have unrestricted access to the Internet.
The client performs the port scan and the sniffer logs packets that have been able to pass through the network. Syntax for both the client and the sniffer is straight forward.
Egscape-cli.exe <scan type> <host> <port string>
egscape-server.py <interface> <client ip>
If you ever played StarCraft you may know that the cheat “black sheep wall” removed the fog of war, revealing the entire map. That’s what we intended to do for host discovery, reveal all of the hosts and vhosts present on a target domain or IP address. Host and domain reconnaissance is not a new idea, there are many similar tools already written to handle this task, including fierce and dnsrecon. Both are great.
However, we wanted something faster and we also wanted some additional functionality. Jason Doyle and I built blacksheepwall using Node. This allows us to create tons of requests asynchronously, making it possible to look up 2000+ possible subdomains in just over 5 seconds. It creates so many requests that if you don’t set your name server for something like 18.104.22.168, well; you’re going to have a bad time.
We’ve built out all of the standard options that you would expect including dictionary based host discovery, but also added some new methods for discovery including Bing and certificate parsing. There are a handful of other options, all hopefully well documented in the usage.