├── README.TXT ├── pd.php └── revshfuzz.py /README.TXT: -------------------------------------------------------------------------------- 1 | # revshfuzz 2 | A tool for fuzzing for ports that allow outgoing connections 3 | 4 | I recommend stopping all listening services as they could interfere with the binding in the script! 5 | 6 | 1 - Edit pd.php to your machines IP then upload pd.php to target webserver 7 | 2 - sudo ./revshfuzz.py -h 8 | 9 | [pinky][0xefbeadde][revshfuzz] 10 | | sudo ./revshfuzz.py -u http://192.168.1.13/pd.php -m c -b 192.168.1.7 -ua "spoofed-user-agent" 11 | 12 | -=< Reverse Shell Fuzzer 0.0.2 >=- 13 | By @Pink_P4nther 14 | A weak firewall rule discovery tool 15 | 16 | [*] URL: http://192.168.1.13/pd.php 17 | [*] MODE: c 18 | [*] Bind Address: 192.168.1.7 19 | [*] User Agent: spoofed-user-agent 20 | [+] Outbound [Allowed] @ Port: 20 21 | [+] Outbound [Allowed] @ Port: 21 22 | [+] Outbound [Allowed] @ Port: 22 23 | [+] Outbound [Allowed] @ Port: 23 24 | [+] Outbound [Allowed] @ Port: 25 25 | [+] Outbound [Allowed] @ Port: 53 26 | [+] Outbound [Blocked] @ Port: 80 27 | [+] Outbound [Allowed] @ Port: 81 28 | [+] Outbound [Allowed] @ Port: 110 29 | [+] Outbound [Blocked] @ Port: 139 30 | [+] Outbound [Blocked] @ Port: 143 31 | [+] Outbound [Blocked] @ Port: 443 32 | [+] Outbound [Allowed] @ Port: 445 33 | [+] Outbound [Allowed] @ Port: 465 34 | [+] Outbound [Allowed] @ Port: 587 35 | [+] Outbound [Allowed] @ Port: 993 36 | [+] Outbound [Allowed] @ Port: 995 37 | [+] Outbound [Allowed] @ Port: 2222 38 | [+] Outbound [Blocked] @ Port: 3306 39 | [+] Outbound [Allowed] @ Port: 8000 40 | [+] Outbound [Blocked] @ Port: 8080 41 | [+] Outbound [Allowed] @ Port: 8181 42 | [+] Outbound [Allowed] @ Port: 8443 43 | [+] Outbound [Allowed] @ Port: 9050 44 | [*] Finished 45 | 46 | -------------------------------------------------------------------------------- /pd.php: -------------------------------------------------------------------------------- 1 | 7 | -------------------------------------------------------------------------------- /revshfuzz.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # 3 | # Weak Firewall Rule Discovery Tool 4 | # By @Pink_P4nther 5 | # This tool can help discover allowed outgoing connections 6 | # 7 | 8 | VERSION = "0.0.2" 9 | import socket 10 | import sys 11 | import requests 12 | import threading 13 | import select 14 | import argparse 15 | 16 | #socket.setdefaulttimeout(2) 17 | #print(str(socket.getdefaulttimeout())) 18 | banner = """ 19 | -=< Reverse Shell Fuzzer {} >=- 20 | By @Pink_P4nther 21 | A weak firewall rule discovery tool 22 | """.format(VERSION) 23 | print(banner) 24 | # Common port list 25 | commonPorts = [20,21,22,23,25,53,80,81,110,139,143,443,445,465,587,993,995,2222,3306,8000,8080,8181,8443,9050] 26 | 27 | # Parser 28 | parser = argparse.ArgumentParser() 29 | parser.add_argument("--url","-u",help="The URL of the pd.php script") 30 | parser.add_argument("--mode","-m",choices=["a","c","l"],help="The port iteration mode. Modes: (a)ll,(c)ommon,(l)ist") 31 | parser.add_argument("--list","-l",help="If mode is 'l' then use this to specify list path") 32 | parser.add_argument("--bind","-b",help="Specify bind address: Default is 0.0.0.0") 33 | parser.add_argument("--useragent","-ua",help="Specify user agent to request with: Default is Firefox Linux") 34 | args = parser.parse_args() 35 | 36 | # Parse URL 37 | if args.url: 38 | URL = args.url 39 | print("[*] URL: {}".format(URL)) 40 | else: 41 | sys.exit("URL not specified! Use -h for help!") 42 | 43 | # Parse Mode 44 | if args.mode: 45 | MODE = args.mode 46 | print("[*] MODE: {}".format(MODE)) 47 | else: 48 | sys.exit("MODE not specified!") 49 | 50 | # Parse Port List 51 | if MODE == "l" and args.list: 52 | LISTPATH = args.list 53 | print("[*] LIST: {}".format(LISTPATH)) 54 | elif MODE == "l": 55 | sys.exit("[!] You must specify a port list: --list /path/to/list.lst") 56 | else: 57 | pass 58 | 59 | # Parse Bind Address 60 | if args.bind: 61 | HOST = args.bind 62 | else: 63 | HOST = "0.0.0.0" 64 | print("[*] Bind Address: {}".format(HOST)) 65 | 66 | # Parse User Agent 67 | if args.useragent: 68 | UA = args.useragent 69 | else: 70 | UA = "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 71 | print("[*] User Agent: {}".format(UA)) 72 | headers = {'User-Agent': str(UA)} 73 | 74 | # Listens for connect back from PHP script 75 | def lPort(PORT): 76 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 77 | s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) 78 | s.bind((str(HOST),int(PORT))) 79 | 80 | try: 81 | s.settimeout(1) 82 | s.listen(1) 83 | (conn, (ip,port)) = s.accept() 84 | print("[+] Outbound [Allowed] @ Port: {}".format(str(PORT))) 85 | 86 | except socket.timeout: 87 | print("[-] Outbound [Blocked] @ Port: {}".format(str(PORT))) 88 | except Exception as e: 89 | print("[!!!] Error: {}".format(str(e))) 90 | 91 | # For each port listen for connect back from PHP script and request PHP script 92 | def main(): 93 | if MODE == "l": 94 | try: 95 | f = open(LISTPATH,"r") 96 | for port in f: 97 | URLtmp = str(URL + "?p=" + str(port)) 98 | t1 = threading.Thread(target=lPort,args=(port,)) 99 | t1.start() 100 | requests.get(URLtmp,headers=headers) 101 | t1.join() 102 | except Exception as e: 103 | sys.exit("[!] Error: {}".format(e)) 104 | elif MODE == "c": 105 | for port in commonPorts: 106 | URLtmp = str(URL + "?p=" + str(port)) 107 | t1 = threading.Thread(target=lPort,args=(port,)) 108 | t1.start() 109 | requests.get(URLtmp,headers=headers) 110 | t1.join() 111 | elif MODE == "a": 112 | for port in range(0,65536): 113 | URLtmp = str(URL + "?p=" + str(port)) 114 | t1 = threading.Thread(target=lPort,args=(port,)) 115 | t1.start() 116 | requests.get(URLtmp,headers=headers) 117 | t1.join() 118 | 119 | if __name__ == '__main__': 120 | if (len(sys.argv) < 2): 121 | sys.exit("usage: use -h for help") 122 | else: 123 | main() 124 | print("[*] Finished") 125 | --------------------------------------------------------------------------------