Egressagent
Package name: intrudect-egressagent
During various penetration tests, it has been frequently observed that so-called "air-gapped" networks are not fully isolated. This inspired the egress agent module.
The agent is installed into isolated network segment and periodically attempts to access the Internet. If it successfully connects to the Intrudect servers, an alert is sent to the client.
Configuration
The initial default configuration for Egressagent can be created in the web application
under Agents > Add new egress agent
. After saving and downloading it, store the configuration on
the machine running the agent at /opt/intrudect-egressagent/etc/config.json
.
Methods
-
DirectICMP
attempts tunneling over ICMP using both IPv4 and IPv6. ICMP or IPv6 configurations are often forgotten as well. -
DNS methods (
PublicDNS
,DefaultDNS
, andPrivateDNS
) test connectivity via both UDP and TCP, and IPv4 and IPv6. Many isolated networks still respond to DNS queries. -
FindGW
,FindDNS
andFindProxy
methods are noisy, scanning internal networks for other hosts and trying outbound connection via these hosts.
"Methods": {
"DirectUDP": true,
"DirectTCP": true,
"DirectICMP": true,
"PublicDNS": true,
"DefaultDNS": true,
"PrivateDNS": true,
"FindGW": true,
"FindDNS": true,
"FindProxy": false
},
Sleep
Seconds to sleep after each method has completed its run cycle.
"Sleep": {
"AfterUDPScan": 60,
"AfterTCPScan": 60,
"AfterICMPScan": 60,
"AfterDNSScan": 60,
"AfterProxyScan": 60,
"AfterGWScan": 60,
"AfterNmapScan": 1440
},
Threads
Several methods can be used to send traffic from isolated networks.
DirectTCP
andDirectUDP
methods will attempt to use all ports across both IPv4 and IPv6. Administrators commonly overlook UDP or IPv6 configurations. Given that there are 4 x 65535 ports to test, scanning is done using parallel processing as defined here:
Other options
If using Intrudet public egress servers, then DO NOT modify following parameters.
LogDomains
- domains with logging nameservers for DNS egress.EgressServers
- IPv4 and IPv6 addresses for public Intrudect egress serversPrivateDNSServers
- IPv4 and IPv6 addresses for public Intrudect DNS serversPublicDNSServers
- list of public DNS server addresses that are tested for egress.
Alerting
Multiple servers and domains receive and decrypt traffic from Egressagent. This decrypted information includes the client web application's address. An alert is then forwarded to that address.
Reverse proxy needs to only expose /api/alert/new
uri.
server {
...
location /api/alert/new {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_ssl_verify off;
proxy_bind 127.0.0.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header CF-Connecting-IP $remote_addr; # Set CF header in case needed
}
}