Skip to content

Egressagent

Package name: intrudect-egressagent

During various penetration tests, it has been frequently observed that so-called "air-gapped" networks are not fully isolated. This inspired the egress agent module.

The agent is installed into isolated network segment and periodically attempts to access the Internet. If it successfully connects to the Intrudect servers, an alert is sent to the client.

Configuration

The initial default configuration for Egressagent can be created in the web application under Agents > Add new egress agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-egressagent/etc/config.json.

Methods

  • DirectICMP attempts tunneling over ICMP using both IPv4 and IPv6. ICMP or IPv6 configurations are often forgotten as well.

  • DNS methods (PublicDNS, DefaultDNS, and PrivateDNS) test connectivity via both UDP and TCP, and IPv4 and IPv6. Many isolated networks still respond to DNS queries.

  • FindGW, FindDNS and FindProxy methods are noisy, scanning internal networks for other hosts and trying outbound connection via these hosts.

"Methods": {
    "DirectUDP": true,
    "DirectTCP": true,
    "DirectICMP": true,
    "PublicDNS": true,
    "DefaultDNS": true,
    "PrivateDNS": true,
    "FindGW": true,
    "FindDNS": true,
    "FindProxy": false
  },

Sleep

Seconds to sleep after each method has completed its run cycle. 

"Sleep": {
    "AfterUDPScan": 60,
    "AfterTCPScan": 60,
    "AfterICMPScan": 60,
    "AfterDNSScan": 60,
    "AfterProxyScan": 60,
    "AfterGWScan": 60,
    "AfterNmapScan": 1440
  },

Threads

Several methods can be used to send traffic from isolated networks.

  • DirectTCP and DirectUDP methods will attempt to use all ports across both IPv4 and IPv6. Administrators commonly overlook UDP or IPv6 configurations. Given that there are 4 x 65535 ports to test, scanning is done using parallel processing as defined here:
"Threads": {
    "DirectUDP": 100,
    "DirectTCP": 100
  },

Other options

If using Intrudet public egress servers, then DO NOT modify following parameters.

  • LogDomains - domains with logging nameservers for DNS egress.
  • EgressServers - IPv4 and IPv6 addresses for public Intrudect egress servers
  • PrivateDNSServers - IPv4 and IPv6 addresses for public Intrudect DNS servers
  • PublicDNSServers - list of public DNS server addresses that are tested for egress.

Alerting

Multiple servers and domains receive and decrypt traffic from Egressagent. This decrypted information includes the client web application's address. An alert is then forwarded to that address.

downloads

Reverse proxy needs to only expose /api/alert/new uri.

server {

    ...

    location /api/alert/new {   
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect off;
        proxy_ssl_verify off; 
        proxy_bind 127.0.0.1;
        proxy_set_header Host $host; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_set_header CF-Connecting-IP $remote_addr;  # Set CF header in case needed
    }
}