Data Exfil

Red Teaming exercises can help make organizations aware of vulnerabilities and how adversaries can exploit them. While a good penetration tester can find these vulnerabilities and exploit them, a Red Teamer can go even further and test the readiness of the organization on all levels and provide a view into the adversaries capabilities. They can also aid in the remediation plans by conituining to provide advesarial thinking and poking holes into the plans.

One thing that is key for both pentesters and Red Teamers alike (as well as actual attackers) is the different ways to extract the data. Data exfil has to be to done in a way that is not only reliable, but also stealthy and hidden from the different intrusion countermeasures systems.

Once you breached into a system, and from there to the network, you start to move inside searching for data that is interesting. You need to show your customer that their systems are vulnerable and that valuable data can be exfiltrated.

There are many common data exfil methods that can be used. One way is to simply attach the data to an email and send it out. Another way is to send the data as part of an instant messenger chat or even leverage an ongoing skype connection to do this. The trick is to use the right APIs and piggy back on an existing session in the hope to remain hidden. A different and easier way is to force a program to connect to the internet or leverage one that is already connected, then inject your data into it and perform an HTTP, SFTP or other protocol request to extract the data out. The program connected to the internet is hopefully coming from a trusted user and can help hide the exfil. Another common way is to piggy back on the system's constant network traffic check (like NETBIOS for Windows, software updates, etc) or DNS requests and send the data over those packets.

These methods are fairly easy to implement and unless you have a good monitoring software and a team that knows what it's doing, the exfil will remain hidden (well, unless you sent Gb upon Gb of data out, all at once... You have to be clever).

You also have the more sophisticated methods. These are built to remain hidden. These are used by the most advanced adversaries, and even though you can buy them online, they are usually tailored for the specifc attack/network.

Data exfil is, in my opinion, one of the most important parts of a successful attack. Unless your target is to just dissable a network/server/device, then you need to be able to reliably and stealthily extract information. Data exfil still remains one of the most crucial parts of the operation.