Generate TCP/UDP Outbound Traffic On Multiple Ports - Metasploit
This page contains detailed information about how to use the post/multi/recon/multiport_egress_traffic metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Generate TCP/UDP Outbound Traffic On Multiple Ports
Module: post/multi/recon/multiport_egress_traffic
Source code: modules/post/multi/recon/multiport_egress_traffic.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): BSD, Linux, OSX, Solaris, Unix, Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module generates TCP or UDP traffic across a sequence of ports, and is useful for finding firewall holes and egress filtering. It only generates traffic on the port range you specify. It is up to you to run a responder or packet capture tool on a remote endpoint to determine which ports are open.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/recon/multiport_egress_traffic
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/recon/multiport_egress_traffic
msf post(multiport_egress_traffic) > show options
... show and set options ...
msf post(multiport_egress_traffic) > set SESSION session-id
msf post(multiport_egress_traffic) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/recon/multiport_egress_traffic")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
SESSION: The session to run this module on.
TARGET: Destination IP address.
Knowledge Base
This is a Meterpreter post exploitation module that will generate TCP and UDP packets on a range of ports and send them to a provided IP address. The primary purpose of this is for 'egress busting' and provides a rapid method of generating legitimate TCP or UDP traffic on each port. This is useful for red-teaming type exercises in which you have meterpreter running on a host but wish to determine additional ports over which egress traffic is permitted.
It can generate the packets in two different ways; it can call the Windows sockets API (using railgun for Windows clients) or it can create the packets using Rex.
NATIVE mode uses Rex sockets to generate traffic. WINAPI mode uses Winsock APIs to generate traffic.
As it currently stands, the user will need to set up a listener/tcpdump/wireshark to determine the ports that are open. My egresscheck-framework code can help with that, but any listener would be fine.
Example - Windows Meterpreter
Scenario is:
- The victim host is 192.0.2.104
- The attacker is 192.0.2.1
- The attacker wishes to generate TCP packets to 192.0.2.1 (with meterpreter on 192.0.2.104) on ports 22,23,53,80,88,443 and 445 to see if any of the packets reach 192.0.2.1. Note that the attacker has control of 192.0.2.1.
- The compromised machine is a Windows 8.1 machine
msf> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x86/win32 TESTER\Stuart @ TESTER 192.0.2.1:9877 -> 192.0.2.104:43595 (192.0.2.104)
msf> set METHOD NATIVE
METHOD => NATIVE
msf> set PORTS 22,23,53,80,88,443,445
PORTS => 22,23,53,80,88,443,445
msf> set PROTOCOL TCP
PROTOCOL => TCP
msf> set SESSION 2
SESSION => 2
msf> set TARGET 192.0.2.1
TARGET => 192.0.2.1
msf> set THREADS 3
THREADS => 3
msf> show options
Module options (post/multi/manage/multiport_egress_traffic):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI)
PORTS 22,23,53,80,88,443,445 yes Ports to test.
PROTOCOL TCP yes Protocol to use. (Accepted: TCP, UDP)
SESSION 2 yes The session to run this module on.
TARGET 192.0.2.1 yes Destination IP address.
THREADS 3 yes Number of simultaneous threads/connections to try.
msf> run
[*] Generating TCP traffic to 192.0.2.1...
[*] TCP traffic generation to 192.0.2.1 completed.
[*] Post module execution completed
msf> set VERBOSE TRUE
VERBOSE => TRUE
msf> run
[*] Number of threads: 3.
[*] Generating TCP traffic to 192.0.2.1...
[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/23
[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/53
[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/22
[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/53
[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/23
[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/22
[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/88
[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/80
[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/443
[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/88
[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/443
[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/80
[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/445
[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/445
[*] TCP traffic generation to 192.0.2.1 completed.
[*] Post module execution completed
Here is an example with the METHOD parameter set to WINAPI:
msf> set METHOD WINAPI
METHOD => WINAPI
msf> run
[*] Number of threads: 3.
[*] Generating TCP traffic to 192.0.2.1...
[*] [2:WINAPI] Set up socket for 192.0.2.1 port TCP/53 (Handle: 14908)
[*] [1:WINAPI] Set up socket for 192.0.2.1 port TCP/23 (Handle: 14856)
[*] [2:WINAPI] Connecting to 192.0.2.1:TCP/53
[*] [1:WINAPI] Connecting to 192.0.2.1:TCP/23
[*] [0:WINAPI] Set up socket for 192.0.2.1 port TCP/22 (Handle: 14300)
[*] [0:WINAPI] Connecting to 192.0.2.1:TCP/22
[*] [2:WINAPI] There was an error sending a connect packet for TCP socket (port 53) Error: 10061
[*] [0:WINAPI] There was an error sending a connect packet for TCP socket (port 22) Error: 10061
[*] [1:WINAPI] There was an error sending a connect packet for TCP socket (port 23) Error: 10061
[*] [1:WINAPI] Set up socket for 192.0.2.1 port TCP/88 (Handle: 13868)
[*] [0:WINAPI] Set up socket for 192.0.2.1 port TCP/80 (Handle: 14300)
[*] [1:WINAPI] Connecting to 192.0.2.1:TCP/88
[*] [2:WINAPI] Set up socket for 192.0.2.1 port TCP/443 (Handle: 14908)
[*] [0:WINAPI] Connecting to 192.0.2.1:TCP/80
[*] [2:WINAPI] Connecting to 192.0.2.1:TCP/443
[*] [1:WINAPI] There was an error sending a connect packet for TCP socket (port 88) Error: 10061
[*] [2:WINAPI] There was an error sending a connect packet for TCP socket (port 443) Error: 10061
[*] [0:WINAPI] There was an error sending a connect packet for TCP socket (port 80) Error: 10061
[*] [0:WINAPI] Set up socket for 192.0.2.1 port TCP/445 (Handle: 13868)
[*] [0:WINAPI] Connecting to 192.0.2.1:TCP/445
[*] [0:WINAPI] There was an error sending a connect packet for TCP socket (port 445) Error: 10061
[*] TCP traffic generation to 192.0.2.1 completed.
[*] Post module execution completed
UDP also works correctly:
msf> set PROTOCOL UDP
PROTOCOL => UDP
msf> set METHOD NATIVE
METHOD => NATIVE
msf> show options
Module options (post/multi/manage/multiport_egress_traffic):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI)
PORTS 22,23,53,80,88,443,445 yes Ports to test.
PROTOCOL UDP yes Protocol to use. (Accepted: TCP, UDP)
SESSION 2 yes The session to run this module on.
TARGET 192.0.2.1 yes Destination IP address.
THREADS 3 yes Number of simultaneous threads/connections to try.
msf> run
[*] Number of threads: 3.
[*] Generating UDP traffic to 192.0.2.1...
[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/23
[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/53
[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/22
[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/443
[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/80
[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/88
[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/445
[*] UDP traffic generation to 192.0.2.1 completed.
[*] Post module execution completed
Note that the errors showing in verbose mode are normal; this is because there is nothing actually listening on any of those ports, meaning that the calls will fail.
Running tcpdump on 192.0.2.1 showed all the connection attempts as normal.
Example - Linux Meterpreter
Scenario is:
- The victim host is 192.0.2.103
- The attacker is 192.0.2.1
- The attacker wishes to generate TCP packets to 192.0.2.1 (with linux meterpreter on 192.0.2.103) on ports 22,23,53,80,88,443 and 445 to see if any of the packets reach 192.0.2.1. Note that the attacker has control of 192.0.2.1.
- The compromised machine is a Linux machine (running Kali)
msf> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
4 meterpreter x86/linux uid=1000, gid=1001, euid=1000, egid=1001, suid=1000, sgid=1001 @ kali 192.0.2.1:4322 -> 192.0.2.103:37489 (192.0.2.103)
msf> run
[*] Number of threads: 3.
[*] Generating TCP traffic to 192.0.2.1...
[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/23
[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/53
[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/22
[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/23
[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/88
[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/53
[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/443
[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/22
[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/88
[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/80
[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/443
[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/80
[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/445
[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/445
[*] TCP traffic generation to 192.0.2.1 completed.
[*] Post module execution completed
msf> set PROTOCOL UDP
PROTOCOL => UDP
msf> run
[*] Number of threads: 3.
[*] Generating UDP traffic to 192.0.2.1...
[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/23
[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/53
[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/22
[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/443
[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/80
[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/88
[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/445
[*] UDP traffic generation to 192.0.2.1 completed.
[*] Post module execution completed
msf> show options
Module options (post/multi/manage/multiport_egress_traffic):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI)
PORTS 22,23,53,80,88,443,445 yes Ports to test.
PROTOCOL UDP yes Protocol to use. (Accepted: TCP, UDP)
SESSION 4 yes The session to run this module on.
TARGET 192.0.2.1 yes Destination IP address.
THREADS 3 yes Number of simultaneous threads/connections to try.
msf>
Future Work
This module did not appear to work on python meterpreter.
Go back to menu.
Msfconsole Usage
Here is how the multi/recon/multiport_egress_traffic post exploitation module looks in the msfconsole:
msf6 > use post/multi/recon/multiport_egress_traffic
msf6 post(multi/recon/multiport_egress_traffic) > show info
Name: Generate TCP/UDP Outbound Traffic On Multiple Ports
Module: post/multi/recon/multiport_egress_traffic
Platform: Linux, OSX, Unix, Solaris, BSD, Windows
Arch:
Rank: Normal
Provided by:
Stuart Morgan <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI)
PORTS 22,23,53,80,88,443,445,33434-33534 yes Ports to test.
PROTOCOL TCP yes Protocol to use. (Accepted: TCP, UDP, ALL)
SESSION yes The session to run this module on.
TARGET yes Destination IP address.
THREADS 20 yes Number of simultaneous threads/connections to try.
Description:
This module generates TCP or UDP traffic across a sequence of ports,
and is useful for finding firewall holes and egress filtering. It
only generates traffic on the port range you specify. It is up to
you to run a responder or packet capture tool on a remote endpoint
to determine which ports are open.
Module Options
This is a complete list of options available in the multi/recon/multiport_egress_traffic post exploitation module:
msf6 post(multi/recon/multiport_egress_traffic) > show options
Module options (post/multi/recon/multiport_egress_traffic):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI)
PORTS 22,23,53,80,88,443,445,33434-33534 yes Ports to test.
PROTOCOL TCP yes Protocol to use. (Accepted: TCP, UDP, ALL)
SESSION yes The session to run this module on.
TARGET yes Destination IP address.
THREADS 20 yes Number of simultaneous threads/connections to try.
Advanced Options
Here is a complete list of advanced options supported by the multi/recon/multiport_egress_traffic post exploitation module:
msf6 post(multi/recon/multiport_egress_traffic) > show advanced
Module advanced options (post/multi/recon/multiport_egress_traffic):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/recon/multiport_egress_traffic module can do:
msf6 post(multi/recon/multiport_egress_traffic) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/recon/multiport_egress_traffic post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/recon/multiport_egress_traffic) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- [<NUM>:NATIVE] Error connecting to <IP> <PROTO>/<PORT>
- [<NUM>:NATIVE] Error connecting to <IP> <PROTO>/<PORT>
- This module requires meterpreter
- The WINAPI method requires Windows, railgun and support for winsock APIs. Try using the NATIVE method instead.
- This module cannot be used without native meterpreter at present
- Error getting session to route egress traffic through to <REMOTE>
- [<NUM>:WINAPI] Error setting up socket for <REMOTE>; Error: <VALUE>
- GetLastError
- [<NUM>:WINAPI] There was an error sending a connect packet for <PROTO> socket (port <DPORT>) Error: <GETLASTERROR>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
[<NUM>:NATIVE] Error connecting to <IP> <PROTO>/<PORT>
Here is a relevant code snippet related to the "[<NUM>:NATIVE] Error connecting to <IP> <PROTO>/<PORT>" error message:
53: 'Comm' => gw,
54: 'PeerHost' => ip,
55: 'PeerPort' => port
56: )
57: rescue
58: vprint_status("[#{num}:NATIVE] Error connecting to #{ip} #{proto}/#{port}")
59: end
60: elsif proto == 'UDP'
61: begin
62: rudp = Rex::Socket::Udp.create(
63: 'Comm' => gw,
[<NUM>:NATIVE] Error connecting to <IP> <PROTO>/<PORT>
Here is a relevant code snippet related to the "[<NUM>:NATIVE] Error connecting to <IP> <PROTO>/<PORT>" error message:
64: 'PeerHost' => ip,
65: 'PeerPort' => port
66: )
67: rudp.sendto('.', ip, port, 0) if rudp
68: rescue
69: vprint_status("[#{num}:NATIVE] Error connecting to #{ip} #{proto}/#{port}")
70: end
71: end
72: end
73:
74: def winapi_make_connection(remote, dst_port, socket_handle, proto)
This module requires meterpreter
Here is a relevant code snippet related to the "This module requires meterpreter" error message:
85: remote = datastore['TARGET']
86: thread_num = datastore['THREADS']
87: proto = datastore['PROTOCOL']
88:
89: unless client.type == "meterpreter"
90: print_error("This module requires meterpreter")
91: return
92: end
93:
94: # If we want WINAPI egress, make sure winsock is loaded
95: if type == 'WINAPI'
The WINAPI method requires Windows, railgun and support for winsock APIs. Try using the NATIVE method instead.
Here is a relevant code snippet related to the "The WINAPI method requires Windows, railgun and support for winsock APIs. Try using the NATIVE method instead." error message:
92: end
93:
94: # If we want WINAPI egress, make sure winsock is loaded
95: if type == 'WINAPI'
96: unless client.railgun.ws2_32 && client.platform == 'windows'
97: print_error("The WINAPI method requires Windows, railgun and support for winsock APIs. Try using the NATIVE method instead.")
98: return
99: end
100: end
101:
102: unless [ARCH_X64, ARCH_X86].include?(client.arch)
This module cannot be used without native meterpreter at present
Here is a relevant code snippet related to the "This module cannot be used without native meterpreter at present" error message:
98: return
99: end
100: end
101:
102: unless [ARCH_X64, ARCH_X86].include?(client.arch)
103: print_error("This module cannot be used without native meterpreter at present")
104: return
105: end
106:
107: ports = Rex::Socket.portspec_crack(datastore['PORTS'])
108:
Error getting session to route egress traffic through to <REMOTE>
Here is a relevant code snippet related to the "Error getting session to route egress traffic through to <REMOTE>" error message:
138: end
139:
140: gw = 0
141: if type == 'NATIVE'
142: unless (gw = framework.sessions.get(datastore['SESSION'])) && (gw.is_a?(Msf::Session::Comm))
143: print_error("Error getting session to route egress traffic through to #{remote}")
144: return
145: end
146: end
147:
148: str_proto = (proto == 'ALL') ? 'TCP and UDP' : proto
[<NUM>:WINAPI] Error setting up socket for <REMOTE>; Error: <VALUE>
Here is a relevant code snippet related to the "[<NUM>:WINAPI] Error setting up socket for <REMOTE>; Error: <VALUE>" error message:
188:
189: # This will generate a packet on proto <proto> to IP <remote> on port <dport>
190: def winapi_egress_to_port(proto, remote, dport, num)
191: socket_handle = winapi_create_socket(proto)
192: if socket_handle['return'] == 0
193: vprint_status("[#{num}:WINAPI] Error setting up socket for #{remote}; Error: #{socket_handle['GetLastError']}")
194: return
195: else
196: vprint_status("[#{num}:WINAPI] Set up socket for #{remote} port #{proto}/#{dport} (Handle: #{socket_handle['return']})")
197: end
198:
GetLastError
Here is a relevant code snippet related to the "GetLastError" error message:
196: vprint_status("[#{num}:WINAPI] Set up socket for #{remote} port #{proto}/#{dport} (Handle: #{socket_handle['return']})")
197: end
198:
199: vprint_status("[#{num}:WINAPI] Connecting to #{remote}:#{proto}/#{dport}")
200: r = winapi_make_connection(remote, dport, socket_handle['return'], proto)
201: if r['GetLastError'] == 0
202: vprint_good("[#{num}:WINAPI] Connection packet sent successfully #{proto}/#{dport}")
203: else
204: vprint_bad("[#{num}:WINAPI] There was an error sending a connect packet for #{proto} socket (port #{dport}) Error: #{r['GetLastError']}")
205: end
206:
[<NUM>:WINAPI] There was an error sending a connect packet for <PROTO> socket (port <DPORT>) Error: <GETLASTERROR>
Here is a relevant code snippet related to the "[<NUM>:WINAPI] There was an error sending a connect packet for <PROTO> socket (port <DPORT>) Error: <GETLASTERROR>" error message:
199: vprint_status("[#{num}:WINAPI] Connecting to #{remote}:#{proto}/#{dport}")
200: r = winapi_make_connection(remote, dport, socket_handle['return'], proto)
201: if r['GetLastError'] == 0
202: vprint_good("[#{num}:WINAPI] Connection packet sent successfully #{proto}/#{dport}")
203: else
204: vprint_bad("[#{num}:WINAPI] There was an error sending a connect packet for #{proto} socket (port #{dport}) Error: #{r['GetLastError']}")
205: end
206:
207: client.railgun.ws2_32.closesocket(socket_handle['return'])
208: end
209: end
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7507 Merged Pull Request: Refactor arch/platform, refactor TLV XOR, add UUID to each packet, fix payload uuid/arch/platform tracking, and update everything to match
Go back to menu.
See Also
Check also the following modules related to this module:
- post/multi/recon/local_exploit_suggester
- post/multi/recon/reverse_lookup
- post/multi/recon/sudo_commands
Authors
Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
