The Data-Loss-Prevention and Firewall Test Suite aka “egress0r“
Why was egress0r built?
egress0r was built with the intent to continously or selectively produce false security incidents, in order to check up on your DLP and Firewall settings. This includes full IPv4/IPv6 support for both TCP and UDP based checks.
What problems does egress0r solve?
egress0r automates the tedious tasks of fabricating transfer-actions of, what looks like, sensitive data. Using synthetic data, which adheres the pattern of known sensitive data (eg. SSN#, CC#), egress0r is set out to send this data outside of your own premise (exfiltration of data).
Why is egress0r useful
egress0r can not only be run once but easily be configured to run periodically. Thus guaranteeing that your services are continously running as expected. If during normal operations no DLP/FW incidents do occur, this would not necessarily mean that everything is well, maybe everything is just “not working”.
What’s up with that name?
The name “egress0r” originates from it’s aggressive exfiltating & egress-traffic generating behaviour, blended with a touch of oldsch00l.
The core features of egress0r are described in the upcoming sections. A quick overview of the performed checks follows:
- FTP checks
- SMTP checks
- HTTP checks
- DNS checks
- ICMP checks
- Arbitrary egress port checks
In the following sections we elaborate on what the checks do and how they behave.
The FTP check performs a simple check, namely the exfiltration of sample data by uploading it to our FTP server ftp.egress0r.io. To ensure the data can’t be inspected by other parties, we are regularily removing uploaded data and restrict access to the upload directory. egress0r assumes the FTP exfil succeeded when the sample data was uploaded without errors.
During the SMTP check we send an email with sample data to email@example.com. egress0r assumes the attempted exfil succeeded when no errors occur while sending the email. To verify the exfil attempt actually worked, you should check the inbox of your configured email address. It should receive an exact copy of the message that was sent with the egress0r client.
During the HTTP exfil check the following HTTP verbs are utilized by default:
The requests are sent to services.egress0r.io, if the exfiltrated data is present in the response, the exfil attempt was a success and is indicated accordingly.
During the DNS checks we’re performing various DNS queries using both IPv4 and IPv6 (if available). Both locally configured DNS servers and external DNS servers are used to resolve the mentioned queries. These checks are performed to validate if the local user could bypass some sort of DNS filtering by simply using a non default DNS server.
Furthermore egress0r performs DNS exfiltration with given sample data. It encodes part of the data into a subdomain and suffixes it with an attacker controlled domain and resolves the query via an attacker controlled DNS server.
The ICMP check routine mainly focuses on pinging external hosts. If this works without interference we might get lucky and can exfiltrate data over ICMP aswell. The last check performed in this category attempts to exfiltrate a few chunks of sample data to egress0r.io by embedding the data directly into the ICMP packet’s payload.
Egress port checking
A very nifty feature of egress0r, in our opinion, is the egress port checker. It performs IPv4, IPv6, TCP and UDP outgoing port checks in three different modes. The modes are top 10, top 100 or all. The chosen mode defines how many and which ports are scanned during the check for each combination of IP version and network protocol.
By now you should have a better understanding what egress0r does and what problems it solves. If you are ready to dive in and take egress0r for a spin, read on.
You have two options to choose from, either you run egress0r from your own linux machine or let it run in a docker container. However you wish to apply egress0r on your end is up to you. You can find further information on how to proceed on the egress0r GitHub repository located at https://github.com/cyllective/egress0r
To take egress0r for a quick test-run via Docker, you can follow the steps below:
- Download egress0r’s default config:
- Open up and edit the just downloaded config file and replace the line
<YOUR EMAIL ADDRESS HERE>with your email address.
- Launch egress0r via docker:
docker run --net host -t --rm -v $(pwd)/config.dist.yml:/opt/egress0r/config.yml cyllective/egress0r:latest
This project was heavily inspired by the following projects:
- BLACK HILL’s allports.exposed
- SIXGEN’s BreakFree
Contributing and getting help
We are open for contributions from the community and would love to hear from you. Please feel free to:
- Ask questions about egress0r by opening an issue on Github
- Contribute ideas and improvements by either opening an issue or submitting a pull request