Data Exfiltration
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Not much here yet...please feel free to contribute at my GitHub page.
Exfiltrate Data Using BITS Jobs
First, you must import the BitsTransfer PowerShell Module with Import-Module BitsTransfer
. After you import the BitsTransfer module, the following cmdlets are available:
Add-BitsFile
Adds files to a BITS transferComplete-BitsTransfer
Completes a BITS transferGet-BitsTransfer
Gets a BITS transferRemove-BitsTransfer
Stops a BITS transferResume-BitsTransfer
Resumes a suspended BITS transferSet-BitsTransfer
Configures a BITS transfer jobStart-BitsTransfer
Creates and starts a BITS transfer jobSuspend-BitsTransfer
Pauses a BITS transfer job
For example, the following Windows PowerShell command begins a BITS transfer from the local computer to a computer named CLIENT:
When running Windows PowerShell interactively, the PowerShell window displays the progress of the transfer. The following command uses an abbreviated notation to download a file from a Web site to the local computer:
Manage BITS with PowerShell - Microsoft:
Exfiltrate Data Using FTP
See this section under Privilege Escalation
Exfiltrate Data Using SMB
Create an SMB share
This command creates an SMB share named "Exfil" and grants Full Access permissions to "$Domain\$UserName".
For more about the New-SmbShare PowerShell cmdlet:
See this section under Privilege Escalation for more
AES Encrypt and HTTP POST with PowerShell
If you set up a web server to accept post requests, you can either AES encrypt or base64 encode your target data and simply send an HTTP request to the server with the data.
Warning: SecureString has a maximum length of 65536 characters. This limits the size of the file that can be sent to about 65kb.
Example with AES encrypted payload:
You can also skip the last command to send the web request, and simply print the encoded data to the screen and copy to your other terminal (may create a very long wall of text if the file is large!).
To decode the data on the other side simply reverse the process:
Simply input the $encrypted_payload
argument with the actual content that was sent in the body of the HTTP request, and you will have your exfiltrated file!
You may need to be cognizant of the character encoding of text files you are trying to send. If the file decrypts with no errors, but looks like garbage or random chinese characters, then you may need to use the -UTF8
argument for the Decrypt_file
function above.
Output filesize for UTF-8 encoded files may be doubled, due to output being UTF-16le by default.
References:
Covert to and from Base64 with PowerShell
You can always convert your data or files to be exfiltrated to Base64 text and simply copy and paste this in your terminal (or use bash/PowerShell magic to convert your target data back). See this section under Privilege Escalation for more information on this technique.
Send an email with PowerShell
PowerShell Send-MailMessage
cmdlet
Send-MailMessage
cmdletThe
From
parameter to specify the message's sender.The
To
parameter specifies the message's recipients.The Subject parameter describes the content of the message.
The Body parameter is the content of the message.
The
Attachments
parameter specifies the file in the current directory that is attached to the email message.The
Priority
parameter sets the message to High priority.The
-DeliveryNotificationOption
parameter specifies two values,OnSuccess
andOnFailure
. The sender will receive email notifications to confirm the success or failure of the message delivery.The
SmtpServer
parameter sets the SMTP server to smtp.fabrikam.com.
According to Microsoft this cmdlet has been deprecated with no replacement. However, if it is present on the machine it should still work!
Misc
Web services
Anon paste sites like Pastebin offer an easy exfiltration channel.
GitHub and other code versioning sites are often permitted in many technical organizations.
Many common file-storage sites like OneDrive, Dropbox, Google Drive, and Box are often permitted, especially if an organization outsources to shared cloud services.
File-transfer Programs
In addition to the methods listed above, the following programs can be used to transfer files, provided you have copied the program to the victim machine, and it is not blocked:
netcat
socat
tftp
SCP
The attacker has to have SSHd running.
Airgap Exfiltration
References
If you like this content and would like to see more, please consider buying me a coffee!
Last updated