Things have been OK for me except that I'm a zombie now

Finding Your Way Out From Behind Firewalls with Strict Outbound Rules

You’ve achieved code execution on a machine, but for some reason your reverse shell isn’t pinging you back. Or that wget/tftp command isn’t downloading your recon/post-exploitation tools. There’s a chance you’re dealing with an egress problem. Typical ports that need outboud access are blocked. You try the main ones you can think of (21, 22, 53, 80, 8080, 443), but none of them seem to be connecting. Do you start at 1 and manually test? NO! The hallmarks of any decent programmer/hacker is laziness. So let’s get lazy.

The Concept

There’s a few methods to achieve this, but at each of their cores, these 2 things are happening.

  • The attacking machine ( needs to listen for something on every port.
  • Your victim machine ( needs to try to hit your machine on every port.

netcat and iptables

For the attacker

Set all ports to redirect to a listener you’ve started.


iptables -t nat -A PREROUTING -i $iface -p tcp --dport 1:65535 -j DNAT --to-destination $ip:$lport
nc -nvlp $lport

For the victim machine


for port in (1..1000); do
  echo "Trying $port"
  nc -z -w1 $port

Netcat DOES accept ranges, so the following also works: nc -w1 1-1000. I usually find that the bash loop’s logging makes it easier to ID what worked if you walk away for a bit while it runs.


If you have a GUI available on the attacking machine, you can repeat the above scenario, but substitute the iptables and nc commands for wireshark with a sane filter; something like

ip.src ==

You should be able to watch the window for incoming packets and determine on which port the victim machine was able to connect.


If you’ve the ability to get files onto the target machine, the most robust option is egress-buster. The readme does a great job explaining usage, but it’s basically the first method, using iptables and python. It consists of two scripts, a client and a server. It also has an option to automatically start the reverse shell once it finds an available outgoing part.