-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label Data Exfiltration. Show all posts
Showing posts with label Data Exfiltration. Show all posts
  • Try to exfiltrate an interesting file Practical

     


     

     

    Try to exfiltrate an interesting file Practical

    scheme


    A client gives you remote desktop access to a machine and wants you to identify all the possible ways an attacker can exfiltrate data (that is - if he was able to compromise this machine) without changing any firewall setting.  Try to exfiltrate an interesting file Practical

    If you are unfamiliar with the term exfiltration, please refer to the link below.

    Click Here



    Learning objectives


    In this lab, you will learn how to:
     

    1) Assess firewall settings

    2) Leverage insufficiently secure firewall settings 

    3) Encrypt interesting data and exfiltrate them using DNS 

    4) Automatically identify all possible exfiltration ways



    Recommended tools

    1) Kali Linux

    2) Packet Whisper (https://github.com/TryCatchHCF/PacketWhisper)

    3) Wireshark

    4) rdesktop (command line utility)

    5) Egress framework (https://labs.mwrinfosecurity.com/blog/egress-checking)
     

     



    Network configuration & credentials


    Intranet Subnet
    : 172.16.91.0/24
    Under-investigation machine's IP: 172.16.91.100
    Connection Type: RDP


    First you need to download openvpn file and run -


     


     

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Documents/ine-lab]
    └─$ sudo openvpn data-exfiltration.ovpn
    2021-12-10 12:23:07 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
    2021-12-10 12:23:07 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
    2021-12-10 12:23:07 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
    🔐 Enter Auth Username: ZzxVBe7hGAGyKa
    🔐 Enter Auth Password: **************          
    2021-12-10 12:23:18 TCP/UDP: Preserving recently used remote address: [AF_INET]69.46.7.227:42817
    2021-12-10 12:23:18 Attempting to establish TCP connection with [AF_INET]69.46.7.227:42817 [nonblock]
    2021-12-10 12:23:18 TCP connection established with [AF_INET]69.46.7.227:42817
    2021-12-10 12:23:18 TCP_CLIENT link local: (not bound)
    2021-12-10 12:23:18 TCP_CLIENT link remote: [AF_INET]69.46.7.227:42817
    2021-12-10 12:23:21 [Hera Openvpn Cluster] Peer Connection Initiated with [AF_INET]69.46.7.227:42817
    2021-12-10 12:23:23 TUN/TAP device tap0 opened
    2021-12-10 12:23:23 net_iface_mtu_set: mtu 1500 for tap0
    2021-12-10 12:23:23 net_iface_up: set tap0 up
    2021-12-10 12:23:23 net_addr_v4_add: 172.16.91.10/24 dev tap0
    2021-12-10 12:23:23 Initialization Sequence Completed
    
    
    

     


    Username: aZsQDu1tFLwoTI
    Password: F88ggxcZ3MNzoj

     

     
    Use a Kali Linux or another penetration testing distribution virtual machine to connect to the 172.16.91.100 machine. You can do so by opening a terminal and executing the below:


    # rdesktop  172.16.91.100 -r disk:linux=/home/hackerboy/Documents/ine-lab

    For why we are using it (disk:linux=/home/hackerboy/Documents/ine-lab), we will know this further.

     

     



     



    Credentials


    Username: AdminELS
    Password: Nu3pmkfyX
     


    Tasks


    Task 1: Connect to and scrutinize the 172.16.91.100 machine.
    Task 2: Identify if the 172.16.91.100 machine allows any of the commonly used ports outbound connectivity.
    Task 3: Try to exfiltrate an interesting file.
    Task 4: Automate enumerating all the exfiltration paths and identify another one.


     

     

    Solutions


    Below, you can find solutions for each task.

    Task 1: Connect to and scrutinize the 172.16.91.100 machine

    Once you are connected to the 172.16.91.100 machine, launch "cmd.exe". First, search for interesting files, such as password.txt, credentials.txt, secrets.txt etc. by executing the following:

     

    cd /
    
    dir /s /b passwords.txt
    
    dir /s /b credentials.txt
    
    
    
    
    


    You will see, that a credentials.txt file exists inside theC:\Documents\Sensitive directory. This file contains a username and password.
     

     

     


     

     

    While you are still inside the Windows terminal (cmd.exe), also check if there are any scripting languages installed. 

     

     

    python --version
    
    g++ -version
    
    powershell ls
      
      

     

     

     


     

     

    The successful execution of the above commands indicates that these scripting languages (Python and PowerShell) are actually installed (or allowed) on the 172.16.91.100 machine.

    These scripting languages contain useful capabilities that can be leveraged by penetration testers during all phases of a penetration test.

     



    Task 2: Identify if the 172.16.91.100 machine allows any of the commonly used ports outbound connectivity

    To identify if the 172.16.91.100 machine allows any of the commonly used ports outbound connectivity, follow the procedures below.




    For ports 80 (TCP), 443 (TCP), 8080 (TCP), 8443 (TCP) the procedure is as follows:

    Launch a Python server specifying the port of choice, in your Kali machine.

    In order to start a Python server, you need to launch a new terminal; go to a directory in Kali where you have files to be shared (for example /tmp), and then type:

     

    # cd /tmp <- To navigate to the /tmp directory.
    
    # python -m SimpleHTTPServer 8080.
    
    
    
    

     


    The /tmp folder is a place where you can put files for a temporary time. The Linux OS itself uses this folder for placing temporary files.

     

    As you can imagine, we will be testing if port 8080 (TCP) is allowed outbound internet connectivity by the 172.16.91.100 machine's firewall.

    You should see something similar to the below screenshot: 


    Identify the tap0 IP address of your Kali machine

    To see the tap0 IP of your Kali machine, open a new terminal and execute the following:

     





    1) Run Wireshark on your Kali machine.


    In order to capture traffic from the lab's network, click on Capture and select Options, then you will click the "tap0" interface and finally press Start (as indicated in the screenshot below).





     



    Configure the DNS server on the 172.16.91.100 machine to point to your Kali machine's tap0 IP (the same as previously used).

    In order to change the DNS settings of the 172.16.91.100 machine, double click the Ethernet0 shortcut that is present on the AdminELS user's Desktop and then:


    1) Select Properties
    2) Choose Internet Protocol Version 4



     

     

     

    From the Internet Protocol Version 4 (TCP/IPv4) Properties window:

    1) Choose Properties
    2) Insert your Kali's tap0 IP address as preferred DNS and click OK.

     





     

     

    Launch a browser in windows, and try to navigate 172.16.91.10


    Now, go to your Kali machine where you have started Wireshark. Observe the DNS traffic issued by the 172.16.91.100 machine. You should see something similar to the screenshot below.

     

     

     


     

     

     

    To check ports 443 (TCP) and 8443 (TCP), perform steps 1-3, which are outlined above. Make sure you specify both the tap0 Kali IP and the port you are currently checking (which is bound by the Python Server) each time. You will identify that these ports are not allowed outbound connectivity.

    For port 53 (UDP), the procedure is:

    Note: If you were inside a real environment, you could simply launch Wireshark and see if you can "sniff" any DNS requests originating from the 172.16.91.100 machine. If this was the case, then port 53 (UDP) would have been allowed outbound connectivity.

    Find below an example of such DNS requests (which are irrelevant to this lab, hence the unrelated IPs)


    Such captured traffic means that the firewall allows DNS traffic outbound (port 53 UDP).

    To summarize our activities thus far, we have identified that ports 8080 (TCP) and 53 (UDP) are allowed outbound connectivity.

     

     

     

    Task 3: Try to exfiltrate an interesting file


    Based on the ports you identified that are allowed outbound connectivity, the stealthier exfiltration way is through port 53 (UDP). PacketWhisper can help you easily exfiltrate data via DNS requests.

    PacketWhisper is a Python-based tool, but luckily we identified that Python is installed on the 172.16.91.100 machine.

    To begin, download PacketWhisper from github. On Kali Linux, there is a convenient way to do this by using "git clone". More specifically:

    On your Kali machine, open a new terminal and execute the below.


    The /tmp path is the one we chose for our machine. You can execute the commands above inside any directory you want.

    For easier transfer, also download PacketWhisper as a zipped file as follows:

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
    └─$ sudo wget https://github.com/TryCatchHCF/PacketWhisper/archive/master.zip
    [sudo] password for hackerboy: 
    --2021-12-11 14:12:17--  https://github.com/TryCatchHCF/PacketWhisper/archive/master.zip
    Resolving github.com (github.com)... 13.234.210.38
    Connecting to github.com (github.com)|13.234.210.38|:443... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: https://codeload.github.com/TryCatchHCF/PacketWhisper/zip/master [following]
    --2021-12-11 14:12:24--  https://codeload.github.com/TryCatchHCF/PacketWhisper/zip/master
    Resolving codeload.github.com (codeload.github.com)... 13.233.43.20
    Connecting to codeload.github.com (codeload.github.com)|13.233.43.20|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [application/zip]
    Saving to: ‘master.zip’
    
    master.zip                              [                       <=>                                          ]  28.60M   972KB/s    in 37s      
    
    2021-12-11 14:13:03 (795 KB/s) - ‘master.zip’ saved [29988645]
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
    └─$ ls
    anydesk             ssh-nCKwBah2CZIz                                                                Temp-34b1d66c-22ba-4d1e-ac38-9cfc255a5e8e
    dbus-cCi149VHMi     systemd-private-05e85aceec3c4a1487cd1d5119244ef5-colord.service-mCOWOf          Temp-37c3f3f2-4307-4b30-a482-090d458e3fd5
    gimp                systemd-private-05e85aceec3c4a1487cd1d5119244ef5-haveged.service-IbYCHi         tracker-extract-3-files.1000
    master.zip          systemd-private-05e85aceec3c4a1487cd1d5119244ef5-ModemManager.service-4cczij    tracker-extract-3-files.131
    mozilla_hackerboy0  systemd-private-05e85aceec3c4a1487cd1d5119244ef5-systemd-logind.service-LZMqei  wireshark_tap0OL9LE1.pcapng
    pulse-PKdhtXMmr18n  systemd-private-05e85aceec3c4a1487cd1d5119244ef5-tor@default.service-GDI7cj
    runtime-root        systemd-private-05e85aceec3c4a1487cd1d5119244ef5-upower.service-NmDrlg
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
    └─$ 
    
    
    

     

     

    Finally, you can again point the browser on the 172.16.91.100 machine to your tap0 IP and port 8080 in order to download the tool.

    Remember that the file you want to download must be in the directory inside which you started the Python server.

     





    Now, you can download the compressed PacketWhisper to the desktop for easier access and unzip it by right-clicking on the archive.

    (To save you time, we have already downloaded PacketWhisper for you and placed it on the AdminELS user's desktop)


    Now it's time to use PacketWhisper. In order to run PacketWhisper:

    1) Launch Wireshark on your Kali Machine again and use the "tap0" interface to listen.
    2) Launch cmd.exe on the 172.16.91.100 machine and go to the PacketWhisper directory.
    3) Copy the credentials.txt file to the PacketWhisper's directory.
    4) Launch PacketWhisper.




    First you need to extract the zip file in the same directory...as mentioned above the screenshot














    Back to your Kali Linux, on Wireshark you should be able to see DNS queries to subdomains of cloudfront.net within the traffic:





    Now, save the Wireshark capture file. Remember to use the .pcap format as per the below screenshot.





    Next, copy the saved pcap file inside the PacketWhisper's directory (in this case it's named file.pcap)

    Finally, open a new terminal and go to PacketWhisper's directory and execute the following.



    ************************ MAY-BE YOU GUYS NOW UNDERSTAND WHY I USED THIS COMMAND (disk:linux=/home/hackerboy/Documents/ine-lab) IN THE BEGINNING WITH rdesktop !!!!!!!!!!!!!!!!! ********************





    Lets Go ahead...



    python PacketWhisper.py
    
    2
    
    file.pcap
    
    1
    
    1
    
    3
    
    [enter]
    
    







































     



    The file should now be successfully decrypted. To view its content, you can execute the below, or double-click the decloaked.file file.






    Task 4: Automate enumerating all the exfiltration paths and identify another one


    During penetration tests, we need to automate a large portion of our commonly executed activities to save time.

    Let's use the egresscheck framework to see how it can automate identifying the ports that are allowed outbound connectivity.

    There might be another port which is allowed outbound connectivity that we missed.

    To download and launch the egresscheck framework, execute the below inside any directory you want on your Kali machine.




    # git clone https://github.com/stufus/egresscheck-framework.git
    
    # cd egresscheck-framework/
    
    # ./ecf.py
    



    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
    └─$ sudo git clone https://github.com/stufus/egresscheck-framework.git       
    [sudo] password for hackerboy: 
    Cloning into 'egresscheck-framework'...
    remote: Enumerating objects: 393, done.
    remote: Total 393 (delta 0), reused 0 (delta 0), pack-reused 393
    Receiving objects: 100% (393/393), 88.69 KiB | 216.00 KiB/s, done.
    Resolving deltas: 100% (191/191), done.
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
    └─$ cd egresscheck-framework
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
    └─$ ls
    ecf.py  LICENSE  README.md
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
    └─$ 
    
    
    
    



    You need to configure the tool by specifying:


    #The tap0 IP of your Kali machine (TARGETIP)
    #The 172.16.91.100 machine's IP (SOURCEIP)
    #A port range (PORTS)
    #The protocol (PROTOCOL)




    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
    └─$ ./ecf.py          
    
           .mMMMMMm.             MMm    M   WW   W   WW   RRRRR
          mMMMMMMMMMMM.           MM   MM    W   W   W    R   R
         /MMMM-    -MM.           MM   MM    W   W   W    R   R
        /MMM.    _  \/  ^         M M M M     W W W W     RRRR
        |M.    aRRr    /W|        M M M M     W W W W     R  R
        \/  .. ^^^   wWWW|        M  M  M      W   W      R   R
           /WW\.  .wWWWW/         M  M  M      W   W      R    R
           |WWWWWWWWWWW/
             .WWWWWW.        EgressChecker Mini-Framework v0.1-pre2
                         stuart.morgan@mwrinfosecurity.com | @ukstufus
    
    
    egresschecker> set PORTS 8500-9500
    PORTS => 8500-9500 (1001 ports)
    
    egresschecker>  set TARGETIP 172.16.91.10
    TARGETIP => 172.16.91.10
    
    egresschecker> set SOURCEIP 172.16.91.100
    SOURCEIP => 172.16.91.100
    
    egresschecker> set PROTOCOL tcp
    PROTOCOL => TCP
    
    egresschecker> generate powershell-cmd
    
    Warning: The powershell code does not support multiple threads; it will generate packets asynchronously but on a single thread only.
    
    Run the command below on the client machine:
    powershell.exe -e JABpAHAAIAA9ACAAIgAxADcAMgAuADEANgAuADkAMQAuADEAMAAiAAoAJABwAHIAIAA9ACAAIgA4ADUAMAAwAC0AOQA1ADAAMAAiACAALQBzAHAAbABpAHQAIAAnACwAJwAKAGYAbwByAGUAYQBjAGgAIAAoACQAcAAgAGkAbgAgACQAcAByACkAIAB7AAoAIABpAGYAIAAoACQAcAAgAC0AbQBhAHQAYwBoACAAJwBeAFsAMAAtADkAXQArAC0AWwAwAC0AOQBdACsAJAAnACkAIAB7AAoAIAAgACQAcAByAGEAbgBnAGUAIAA9ACAAJABwACAALQBzAHAAbABpAHQAIAAnAC0AJwAKACAAIAAkAGgAaQBnAGgAIAA9ACAAJABwAHIAYQBuAGcAZQBbADEAXQAKACAAIAAkAGwAbwB3ACAAPQAgACQAcAByAGEAbgBnAGUAWwAwAF0ACgAgAH0AIABlAGwAcwBlAGkAZgAgACgAJABwACAALQBtAGEAdABjAGgAIAAnAF4AWwAwAC0AOQBdACsAJAAnACkAIAB7AAoAIAAgACQAaABpAGcAaAAgAD0AIAAkAHAACgAgACAAJABsAG8AdwAgAD0AIAAkAHAACgAgAH0AIABlAGwAcwBlACAAewAKACAAIAByAGUAdAB1AHIAbgAKACAAfQAKACAAZgBvAHIAIAAoACQAYwAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAbABvAHcAKQA7ACQAYwAgAC0AbABlACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBJAG4AdAAzADIAKAAkAGgAaQBnAGgAKQA7ACQAYwArACsAKQAgAHsACgAgACAAdAByAHkAIAB7AAoAIAAgACAAJAB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0AAoAIAAgACAAJAB0AC4AQgBlAGcAaQBuAEMAbwBuAG4AZQBjAHQAKAAkAGkAcAAsACAAJABjACwAIAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACAAIAAgACQAdAAuAEMAbABvAHMAZQAoACkACgAgACAAfQAKACAAIABjAGEAdABjAGgAIAB7ACAAfQAKACAAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAG0AIAAoADAALgAxACoAMQAwADAAMAApAAoAIAB9AAoAfQA=
    
    Also written to: /tmp/egress_2021dec11_164823_HoaERD.bat
    
    egresschecker> 
    
    
    
    
    
    
    copy to this file in the same directory where you runned this rdesktop program directory
    
    
    
    
    
    
    
    
    

    The generate powershell-cmd. we see above was executed in order to get a single PowerShell command that will help us automate the firewall assessment.


    This encrypted command contains code that will make PowerShell try to access every port from the given range from the 172.16.91.100 machine on your Kali machine.

    Before initiating this procedure on the 172.16.91.100 machine, the following requirements should be fulfilled:


    #Transfer this command to the 172.16.91.100 machine
    #Run Wireshark on your Kali Machine
    #Execute the command on the 172.16.91.100 machine



    You can transfer the command using the Python server, and port 8080 like you did previously.

    To do so, first, go to the directory where the egresscheck framework generated a BAT file (see the purple text message in the image above)

    Egresscheck informs you of this BAT file with a message, which will be similar to the one below:

    "Also written to: /tmp/egress_2019jan16_125152_VNcIt8.bat"

    To serve this file using the Python server, execute the following:


    # cd tmp
    # python -m SimpleHTTPServer 8080







    Download the .bat file generated by the egress framework.

    Next, go back to your Kali machine, execute Wireshark again and point it to listen on the tap0 interface.





    Finally, right-click the downloaded BAT file on the 172.16.91.100 machine and click "Run as administrator."


    A similar window to the one below will pop up. In the meantime, go to Wireshark on your Kali machine and observe the traffic.







    After a short period of time, Wireshark will receive a packet destined to port 9000 - which means that this port is also allowed outbound connectivity on the 172.16.91.100 machine's firewall; this is the third and last port which is allowed outbound connectivity.





    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal

     

  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.