egress0r - DLP/FW Test Suite

Building Trust

egress0r was built with the intent to continously or selectively produce false security incidents, in order to check up on your DLP and Firewall settings. This includes full IPv4/IPv6 support for both TCP and UDP based checks.

egress0r automates the tedious tasks of fabricating transfer-actions of, what looks like, sensitive data. Using synthetic data, which adheres the pattern of known sensitive data (eg. SSN#, CC#), egress0r is set out to send this data outside of your own premise (exfiltration of data).

egress0r can not only be run once but easily be configured to run periodically. Thus guaranteeing that your services are continously running as expected. If during normal operations no DLP/FW incidents do occur, this would not necessarily mean that everything is well, maybe everything is just “not working”.

You have two options to choose from, either you run egress0r from your own linux machine or let it run in a docker container. However you wish to apply egress0r on your end is up to you. You can find further information on how to proceed on the egress0r GitHub repository located at Github


On the Inside

The name “egress0r” originates from it’s aggressive exfiltating & egress-traffic generating behaviour, blended with a touch of oldsch00l.


The FTP check performs a simple check, namely the exfiltration of sample data by uploading it to our FTP server To ensure the data can’t be inspected by other parties, we are regularily removing uploaded data and restrict access to the upload directory. egress0r assumes the FTP exfil succeeded when the sample data was uploaded without errors.


During the SMTP check we send an email with sample data to egress0r assumes the attempted exfil succeeded when no errors occur while sending the email. To verify the exfil attempt actually worked, you should check the inbox of your configured email address. It should receive an exact copy of the message that was sent with the egress0r client.


During the HTTP exfil check the following HTTP verbs are utilized by default:

  • GET
  • POST
  • PUT

The requests are sent to, if the exfiltrated data is present in the response, the exfil attempt was a success and is indicated accordingly.


During the DNS checks we’re performing various DNS queries using both IPv4 and IPv6 (if available). Both locally configured DNS servers and external DNS servers are used to resolve the mentioned queries. These checks are performed to validate if the local user could bypass some sort of DNS filtering by simply using a non default DNS server.

Furthermore egress0r performs DNS exfiltration with given sample data. It encodes part of the data into a subdomain and suffixes it with an attacker controlled domain and resolves the query via an attacker controlled DNS server.


The ICMP check routine mainly focuses on pinging external hosts. If this works without interference we might get lucky and can exfiltrate data over ICMP aswell. The last check performed in this category attempts to exfiltrate a few chunks of sample data to by embedding the data directly into the ICMP packet’s payload.

Egress port checking

A very nifty feature of egress0r, in our opinion, is the egress port checker. It performs IPv4, IPv6, TCP and UDP outgoing port checks in three different modes. The modes are top 10, top 100 or all. The chosen mode defines how many and which ports are scanned during the check for each combination of IP version and network protocol.