Wednesday, April 30, 2014

Egress Testing using PowerShell

Imagine that you pwned a box during a pen test. You want to know if it is possible to acess the internet/other network on any port. This is what egress testing is, for me. I am happy to give you Firebuster and Firelistener, a pair of powershell scripts which could be used for the purpose. The scripts are written by Nikhil Sreekumar(@roo7break) and me (yes we have the same first name :P). He blogged about it sometime back. You can read about it here. The code has been updated and improved for Nishang.

We can use the scripts this way.

1. Run the Firelistener on our machine (we are the attacker/listener)



2. Run the FireBuster on the target machine.



3. You can see the open ports on FireListener console.



Handy!

LIMITATION
While using FireListener for more than 100-150 ports, it overwhelms the listening machine (the attacker's machine). I am trying to improve on this. I would really love if someone can improve it. Also, FireListener sometimes "misses" restarting a job for a port to which a connection has been made. This is due to the delay introduced before restarting the jobs.

With this blog post, some more updates have been pushed to Nishang. The CHANGELOG

0.3.2.2
- Download_Execute_PS.ps1 can now download and execute a Powershell script without writing it to disk.
- Execute_OnTime.ps1 and HTTP-Backdoor.ps1 executed the payload without downloading a file to disk.
- Fixed help in Brute-Force function in Powerpreter.
- Execute-OnTime, HTTP-Backdoor and Download-Execute-PS in Powerpreter now execute powershell scripts without downloading a file to disk.
- Added Firebuster.ps1 and Firelistener.ps1

Firebuster and Firelistener are available in Nishang repository.
http://code.google.com/p/nishang/source/browse/trunk


I would love to hear feedback and bugs on this. Please leave comments.

No comments:

Post a Comment