Friday, April 26, 2013

Quickly Determine Allowed Outbound Ports

I recently had a co-worker who needed to quickly determine the ports that were allowed outbound on a network. After some research, I stumbled upon @mubix 's awesome creation, being www.letmeoutofyour.net.

Using iptables and some apache-fu, he created a machine that will answer on each port that is connected to. This is nothing new, I just simply wanted to share a couple quick ways to find open outbound ports using native command shells and letmeoutofyour.net.

**Update: mubix has shut down letmeoutofyour.net (sadface). I have now modified the scripts to work with another site that does the same thing (open.zorinaq.com).


Windows

Powershell:

**Update: After talking with @mubix, I have rewritten this to reduce potential false positive scenarios associated with pre-routing/proxies

$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://open.zorinaq.com:$_"); req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); $stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() | select-string "Yep"){echo "$_ Allowed out"}}

Cmd.exe (using netcat):

for /L %i in (1,1,1024) do @nc.exe -z -v open.zorinaq.com %i | findstr "Yep"


Linux


Bash (using netcat):

for ((i=1; i<1024; i++)) do nc -z -v open.zorinaq.com $i | grep "Yep"; done

Python:
import urllib2;
for x in range (1,1024):
        url = "http://open.zorinaq.com:%d" % x;
        try:
                r = urllib2.urlopen(url, timeout=1);
                print "Port: %d" %x; print "Result: ",r.read();
        except urllib2.URLError, err:
                print "Port: %d" %x; print "Result: Refused";