In the preceding examples, we’ve relied on the reverse port always being open. But what if we’re attacking an organization with very strict egress port filtering? Most companies block outbound connections except those from a few defined ports, and it can be difficult to determine which ports can make outbound connections.

We can guess that port 443 won’t be inspected and will allow a TCP connection out, and that FTP, Telnet, SSH, and HTTP may be allowed. But why guess when Metasploit has a very specific payload for use in finding open ports?

Metasploit’s payload will try every available port until it finds an open one. (Going through the entire port range [1–65535] can take quite a long time, however.)

Let’s ...