Scribd
Upload
49 views6 pages

Data Exfiltration Methodology

The document describes a lab experiment to exfiltrate a sensitive file from a Windows client to an attacker's machine using DNS tunneling. It explains how the attacker connects to the Windows client, identifies a credentials file to steal, checks for available tools, and determines outbound connectivity is allowed on ports 8080 and DNS port 53. The attacker then uses PacketWhisper to encode and transmit the credentials file over DNS covert channels, capturing the traffic with Wireshark on the attacker machine to decode and extract the file.

Uploaded by

contact
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views6 pages

Data Exfiltration Methodology

The document describes a lab experiment to exfiltrate a sensitive file from a Windows client to an attacker's machine using DNS tunneling. It explains how the attacker connects to the Windows client, identifies a credentials file to steal, checks for available tools, and determines outbound connectivity is allowed on ports 8080 and DNS port 53. The attacker then uses PacketWhisper to encode and transmit the credentials file over DNS covert channels, capturing the traffic with Wireshark on the attacker machine to decode and extract the file.

Uploaded by

contact
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Lab 3 - Data Exfiltration

First, let's connect to the windows client using rdesktop.

The aim of the lab is to transfer a sensitive file over to our attacker machine, and we found a file called
credentials which has a username and a password in it.

Now, let's check what tools we have which can help us transfer this file. We can open command prompt on
windows and check.

We have python and powershell available. Now, we are checking for ports with outbound connectivity. For that,
first we can start a python server in our kali machine on the port we want to check. Here im using 8080.
1/6
Now, let's try and open the contents of the folder where this server is running on our windows machine browser.
For that, we first check our kali machine's ip address.

Let's enter this into the browser, along with the port number of course.

Yes, we can see the contents of the directory. This means that outbound connectivity is allowed on port 8080.
Now, let's check for DNS outbound connectivity. For that, we first change the ipv4 network settings from the
shortcut available on the desktop.

2/6
The preferred DNS server ip is set to our kali machine ip. Now, let's turn on wireshark on our kali machine and
capture packets on the VPN interface.
When we visit any website on our windows browser after running wireshark, we can see that DNS packets are
captured. This means that outbound connectivity is allowed on the DNS port (port 53) as well.

So now, we can use a tool called PacketWhisper to send over the credentials file via DNS.
The PacketWhisper folder is already available to us on the machine. First, copy the credentials file into the
PacketWhisper folder.

3/6
Now, start wireshark capture on the vpn interface on your kali machine.

Launch the packet whisper script.

4/6
Choose the appropriate options as shown below.

Select which cipher we want to use.

5/6
Now, we can start the broadcast.

Once this process finishes (which will take a while), we can stop the packet capture in Wireshark and save the
capture as a .pcap file. Be careful to save it as a pcap and not anything else. Then we can run packetcapture on
our kali machine and extract the contents from the pcap file by specifying the same options while sending the
file.

There is also a way to automatically scan for ports allowing outbound connectivity using the egresscheck
framework as mentioned in the lab. REFER THE LAB TOO FOR CLEARER DETAILS.

6/6

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy