Let Me Out of Your .NET Work: Intro

Wednesday, September 05, 2012

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

Something that is often useful is a known-good. Something out of the control of your adversary or outside modifiers.

But back to that in a sec, egress ‘busting’ or getting your payload/backdoor/trojan/c2 out of someone’s network once you’ve gotten that ever elusive “CODE EXECUTION HAPPY DANCE” going on isn’t always easy.

There is even a Metasploit payload for it called ‘allports’:

There is also ‘Egress Buster’ by the guys over at TrustedSec which can do 1000 ports in just a few seconds:

The problem I find with these tools is that they are still straight TCP. *(Yes, yes I know most networks still allow some ports directly outbound) and these tools are still quite valid. During the span between these two tools being released, MrB released a site that listens on all 65k ports:

Figured I should merge these ideas and add a few more capabilities (and show you how I did it so you can do so yourself), and so LetMeOutOfYour.net was born.

You can hit any subdomain or hostname of letmeoutofyour.net on any port with any HTTP Verb for any resource (web page or folder) and you will always receive a ‘w00tw00t’ back.

For example this request (removed the unimportant headers on the request to save space):

POST /admin/login.php HTTP/1.1
Host: development.letmeoutofyour.net:8081


username=admin&password=password

Will result in this:

HTTP/1.1 200 OK
Date: Sat, 11 Aug 2012 02:21:54 GMT
Server: Apache
Last-Modified: Sat, 11 Aug 2012 02:16:55 GMT
Accept-Ranges: bytes
Content-Length: 9
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

w00tw00t

All of those headers are standard Apache headers with the content being just ‘w00tw00t’. Making the connection an HTTP one opens a few doors to things like proxies. It’s ok to cackle at this point.

In the following parts I’ll show you how to build the server itself and a binary to find it’s way out of networks. Feel free to point your own domains at the IP it’s hosted on, it can handle it. Have a try, I know you want to:

Cross-posted from Room362

Possibly Related Articles:
12922
Network->General
Information Security
Methodologies Hacking Tools Penetration Testing Metasploit Network Security TCP Pentesting
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.