This article discusses data exfiltration techniques using the HTTP protocol, explaining why HTTP is one of the stealthiest methods for exfiltrating data. It covers post-exploitation techniques and demonstrates them in a practical lab setup. This was part of TryHackMe DNS Data Exfiltration room.
What is Data Exfiltration
Data Exfiltration is the process of taking an unauthorized copy of sensitive data and moving it from the inside of an organization’s network to the outside. It is important to note that Data Exfiltration is a post-compromised process where a threat actor has already gained access to a network and performed various activities to get hands on sensitive data. Data Exfiltration often happens at the last stage of the Cyber Kill Chain model, Actions on Objectives.
Data exfiltration is also used to hide an adversary’s malicious activities and bypass security products. For example, the DNS exfiltration technique can evade security products, such as a firewall.
Sensitive data can be in various types and forms, and it may contain the following:
- Usernames and passwords or any authentication information.
- Bank accounts details
- Business strategic decisions.
- Cryptographic keys.
- Employee and personnel information.
- Project code data.
How to use Data Exfiltration
There are three primary use case scenarios of data exfiltration, including:
- Exfiltrate data
- Command and control communications.
- Tunneling
Why Use HTTP for Data Exfiltration?
HTTP traffic is difficult to distinguish from normal web traffic.It is one of the stealthiest methods because security tools often overlook HTTP POST requests. Compared to other protocols (TCP, SSH), HTTP is harder to detect.
Data Exfiltration Methods
A. HTTP POST Requests 📡
- Attackers establish a web server to receive stolen data.
- A compromised machine sends HTTP POST requests containing data.
- The attacker’s server processes and stores the received data.
- Advantage: Data is not logged in access logs, unlike GET requests.
B. HTTPS for Secure Exfiltration
- Similar to HTTP, but encrypted with SSL.
- Requires self-signed SSL certificates to avoid detection.
- More secure & stealthier than HTTP.
C. HTTP Tunneling for Advanced Exfiltration
- Creates a tunnel between an agent and a server.
- Uses Neo-reGeorg as an exfiltration tool.
- Allows attackers to bypass firewalls and reach internal network resources.
- Example:
- A tunneling agent is placed on the compromised machine.
- A tunneling server is set up on the attacker’s machine.
- Once the tunnel is active, attackers can access internal resources as if they were inside the network.
Check out the video below for detailed explanation.
TryHackMe Data Exfiltration
The video walks through real-world exploitation, including:
- Setting up an attacker machine with a web server.
- Accessing logs to see how HTTP requests work.
- Using
curlto send HTTP POST requests with encoded data. - Fixing encoding issues when exfiltrating base64 data.
- Deploying an HTTP tunnel to access hidden network resources.
- Extracting sensitive data (flags, credentials).
💡 Interesting Facts
🔸 GET vs. POST for Exfiltration: POST requests don’t store parameters in logs, making them stealthier.
🔸 Tunneling can bypass firewalls by making traffic look like regular HTTP/HTTPS requests.
🔸 Neo-reGeorg is a popular tool for HTTP tunneling in penetration testing.
Room Answers | TryHackMe Data Exfiltration
Check the Apache log file on web.thm.com and get the flag!
THM{H77P-G37-15-f0un6}
When you visit the http://flag.thm.com/flag website through the uploader machine via the HTTP tunneling technique, what is the flag?
THM{H77p_7unn3l1n9_l1k3_l337}
Video Walkthrough | TryHackMe DNS Data Exfiltration
