Data Elf-iltration

Data Exfiltration Techniques

Companies have Data Loss Prevention systems to prevent data exfiltration. Data Exfiltration is the technique of transferring unauthorized data out of a network. Data Loss Prevention systems are not perfect, and they can allow data that is classified to leave the network. This is where the Security Operations Center (SOC) comes in.

Part of the job of a SOC Tier 1 Analyst is to determine if an attack had actually occurred, identifiable by many means. An easy way to do that is to review wireshark logs from the netowrk and search for data exfiltration techniques. Its easier to spot data that we know that shouldn't be leaving the network than to determine if an APT (Advance Persistent Threat) is inside. APTs can often be hidden deep inside the network, often abusing Kerberos and it's Ticket Granting System to gain permanent access.

Some Data Exfiltration techniques include:

• DNS

• FTP/SFTP based file transfer

• SMB based file transfer

• HTTP/HTTPS

• Steganographical methods, like hiding data within images

• ICMP

• And many more

As long as a Data Exfiltration attempt is not occurring over an encrypted protocol, spotting it with wireshark can be incredibly simple. DNS is the single most common technique used in Data Exfiltration, mainly because it blends in with normal traffic. It is difficult to determine malicious DNS traffic since it is used on just about every single device in the network.

An attacker can have his website setup, listening for data on any subdomain other than www and record it to a file to later examine the contents.

Another technique is using photos to transfer data via methods of Steganography. The attacker may embed a hidden file within an image using a utility like Steghide [Note: Must be installed on Kali] (which we can also use to extract the data). If we noticed that a specific IP has requested a specific seemingly random image (like Google’s logo on a website that is not google), we may choose to investigate.

We can extract the contents of the file using wireshark by going to file -> export objects -> http -> google.jpg.

Then we can extract any potential contents of the file with Steghide with the command:

steghide extract -sf ./<file to extract>.jpg

As long as the file over HTTP, TFTP, FTP, or SMB, the data can be extracted from the packet capture. Some attackers may attempt to obfuscate the data further by placing the data in an encrypted zip file. Luckily for us, there are tools like fcrackzip (Note: fcrackzip is not preinstalled on Kali) that allow us to brute force zip files. The syntax is as follows:

fcrackzip -b --method 2 -D -p /usr/share/wordlists/rockyou.txt -v ./file.zip

-b specifies brute forcing, --method 2 specifies a Zip file, -D specifies a Dictionary, -p the path to the wordlist and -v verifies if the password is indeed correct.

Filtering the pcap for DNS packets, we can notice some data being exfiltrated.

This data seems to be hex encoded, and converting it to ASCII gives us the answer.

By extracting this data we have an image, a zip file and an text/html file.

Using fcrackzip we managed to find the password for the zip file.

We can notice the christmaslisttimmy.txt file which has the answer

Using steghide we can extract the hidden contents of the TryHackMe.jpg file and reveal the answer