Cloakify-Factory: A Data Exfiltration Tool Uses Text-Based Steganography

In our previous post, we had already discussed on “Cloud Storage Uploads for data exfiltration” and today we are going to discussed “Concealed Method for Data Exfiltration” to extract the unauthorized data. Here you will learn how an intruder can exfiltrate data through steganography approach.

Table of Content

  • Overview
  • About Data Exfiltration
  • Cloakify Installation and Usages (for Linux)
  • Method -I
  • Method II
  • Cloakify Installation and Usages (for Windows)

Overview

We will perform red team practice, where we will attempt to collect the important files from the victim’s machine by inducing steganography with the help of concealed methods. When copying information from the destination machine, we will try to transform the data to befool the network monitors so that they can not identify the data packet travelling in the network.

All this could be performed by using a single tool named “Cloakify Factory”.

Cloakify Factory transforms any filetype (e.g .zip, .exe, .xls,etc.) into a list of harmless-looking string. This lets you hide the file in plain sight and transfer the file without triggering alerts. The fancy terms for this “text-based steganography”, hiding data by making it look like other data. Cloaked files defeat signature-based malware detection tools.

About Data Exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Methods of Data Exfiltration

Open Methods:

  • HTTP/HTTPS Downloads & Uploads
  • FTP
  • Email
  • Instant Messaging
  • P2P filesharing

Concealed Methods:

(From Wikipedia)

Cloakify Installation & Usages (for Linux)

CloakifyFactory – Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into a list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection.

Only you need to type following for downloading the cloakify from GitHub in the target machine.

Let’s run the python script to lunch cloakifyfactory.py

CloakifyFactory is a menu-driven tool that leverages Cloakify Toolset scripts. When you choose to Cloakify a file, the scripts first Base64-encode the payload, then apply a cipher to generate a list of strings that encodes the Base64 payload. You then transfer the file however you wish to its desired destination. Once exfiltrated, choose Decloakify with the same cipher to decode the payload.

Let’s take an example now that we want to copy a text file “pwd.txt” from within the target system containing the login credentials of different machines in the network.

Method -I

It may be dangerous to copy the text file directly, so we will transform the input file data into another file as output. To do so follow the below steps:

  1. Run the python script to launch cloakifyfactory.py
  2. Press 1 to select cloakify a file option
  3. Enter the path of the source file that you want to transform an the input file.
  4. Enter the path of the destination file to where you want to save the output.

 

Further, you will get a list of ciphers, choose the desired option for encrypting the file. Suppose I want the whole content to get changed into facial emojis.

  1. Press 3 for emoji cipher
  2. Allow to Add noise to cloaked file by pressing Y for yes.
  3. Then press 1 to select prependemoji.py as a noise generator.

This will save the output result inside the raj.txt file.

As result, you will get the output content something like shown in the below image.

Now if you want to obtain the output result in its original format, then you can go with the decloakify option which will revert the transformation into its original existence, but before that, you have to give all permissions to removeNoise.py

To do so follow the below steps:

  1. Run the python script to launch cloakifyfactory.py
  2. Press 2 to select decloakify a file option
  3. Enter the path of the file that you want to restore back into its original format.
  4. Enter the path of the file to where you want to save the output.

Press Y to answer yes because we have added noise to cloaked file and select noise generator.

Method II

Again, we have a similar file that we want to cloaked into another format directly without operating the cloakifyfactory console.

 

This time you can use a single command to cloak the file by adding specify the type of cipher as given below:

After executing the above command, we can observe the output result would be something like this as shown in the below image.

So we have used the file.txt file as destination file to save the transformed information inside it without printing the output result on the screen. Moreover, further, we have used decloak command to revert the transformed file back into its original state.

Cloakify Installation and Usages (For Windows)

As we all know this is an exfiltration tool and data could be exfiltrate from any platform either from Linux or Windows based OS, therefore cloakifyfactory has built the application both platforms. In the 1st phase, we have use python-based application for Linux machine and now remotely we are going to deploy cloakify factory inside Windows machine using MSI package of python for our python based application.

Thus, we downloaded the MSI package in our local machine (Kali Linux):

Now our purpose is to show how an intruder can remotely exfiltrate the data using cloakifyfactory. So, we had compromised the system first and got the meterpreter session and then uploaded the MSI package inside the victim’s machine to install the dependency required for python.

Now download the zip file for cloakifyfactory from GitHub in your local machine.

We also need to download 7-zip exe program for extracting the cloakify-master.zip.

Now extract the 7za920.zip  and you will get the 7za.exe file that we have to inject in the victim’s machine.

Now let’s upload 7za.exe and cloakfy-master.zip in the remote system. And further, use the 7za.exe program to unzip the cloakify-master.zip.

Therefore, execute the following command:

Now we want to transfer the secret.txt file of the compromised machine but directly copying the file might generate the alert, therefore, we will transform the data as done above.

Now again we try to covert the content of the secret.txt file by hiding it behind the cloaked file. And it is very simple as performed earlier with little modification. So now we can run the cloakify.py file with the help of python.

Thus, we can observe that with the help of cloakify we have transformed the filetype cannot be detected easily.

Conclusion: cloakify-factory could be very useful for exfiltrating data internally as we saw it has many cipher script that used to the cloaked data file and hence it is a very effective tool for performing text-based steganography.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Data Exfiltration using PowerShell Empire

In our previous post, we had already discussed “Command and Control with DropboxC2”  But we are going to demonstrate Data Exfiltration by using PowerShell Empire where we will extract the unauthorized data inside our Dropbox account. Here you will learn how an intruder can exfiltrate data over cloud storage.

What is Data Exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Methods of Data Exfiltration

Open Methods:

  • HTTP/HTTPS Downloads & Uploads
  • FTP
  • Email
  • Instant Messaging
  • P2P filesharing

Concealed Methods:

  • SSH
  • VPN
  • Protocol Tunneling
  • Cloud Storage Uploads
  • Steganography
  • Timing channel

(From Wikipedia)

Generate Token Via Dropbox API

In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and

Generate access token. This will give the Dropbox API required for this particular practical; now copy the generated token.

Data Exfiltration

Now we are going to use Powershell empire for exfiltration, considering we have already compromised the victim machine and we are about to complete our mission by copying data from inside the victim without his knowledge.

As you can observe we have Empire-agent which means I have already spawned shell of victim’s machine and Empire has post exploit for data exfiltration where we will use the above token.

As you can observe that I have notes.txt inside /my files which means we have successfully transferred the data from a source location to destination.

Thus, in this way, we have successfully transferred the data from the victim’s machine to our dropbox and hence this technique is known as dropbox exfiltration.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Get Meterpreter Session Alert over slack

You’re going to learn ShellHerder in this post. It is a technique used to monitor all the sessions of Metasploit/Meterpreter. The basic idea to create it, that new incoming sessions could be easily monitored when Intruder cannot access the listener. This approach is quite helpful when a Pen-tester wants to get an alert for live phishing campaigns or another attack by monitoring for new sessions.

Table of Content

Introduction to ShellHerder

Registering on Slack

  • Add WebHooks App
  • Configure WebHooks App

Download & Configure ShellHerder

Working Demo

Introduction to ShellHerder

ShellHerder uses session subscriptions to monitor activity and then sends an alert to Slack using Slack’s Incoming WebHooks. The alert is sent using the WebHook URL and a POST request and will tag a specified username and provide the computer name of the server with the session.

Registering on Slack

We need a workspace on slack to use slack. To do this we need to register on slack. To create a new workspace on slack, click here. This will require an email address. After that, it is required to create a channel. Here, we named our channel “live server”.

Add WebHooks App

To receive the updates from the Metasploit, we need to an app installed in the channel. Webhooks is the app that is perfect for this job. Now in order to add Webhooks, we first clicked on the Add an app Button inside our channel. Now, we will search for incoming Webhook and add it.

Configure WebHooks App

After adding the Webhooks, we will be asked to configure some settings for the app. This will include the configuring the channel on which the incoming notifications will be broadcasted. Here we select our channel and click on the Add Integration Button.

After clicking the Add integration button, we will be presented with the WebHooks URL. Copy this URL, we are going to need it while we configure Notify.

Download & Configure ShellHerder

Now, we need to work upon our Kali Linux. We are going to use Shell Herder to connect to slack. This Metasploit plugin is aimed to keep an eye on the sessions. All including the ones which are opened or closed. It uses session subscriptions to monitor activities and can be linked to slack, which we just got setup.

After downloading Shell Herder via git clone, we moved the directory inside the Metasploit Framework. So that we can use it directly inside the Framework. After copying the directory, we open an instance of the Metasploit Framework and load the notify plugin as shown in the image given image.

Now, we will use the command notify_show_options to check for any pre-configured settings. Now that we can’t find any. It was time to set the Webhook URL, which we copied earlier and add it inside the notify plugin. Also, we set the Slack User id and Source. After entering the relevant data, use the save command to save the configuration. Now that we have configured the Notify, Let us send a test message to see if the configuration is correct and working.

As we can see in the given image that, the slack received the test message we sent via Notify.

Working Demo

Now, to test the real working of Notify, we will exploit a machine, so that we can observe, whether or not it will notify us, when we get a session. We are exploiting a Windows machine using web delivery.

As we expected, we got the notification on our slack channel, as soon as we got the session.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Covert Channel: The Hidden Network

Generally, the hacker uses a hidden network to escape themselves from firewall and IDS such. In this post, you will learn how to steal information from the target machine through the undetectable network. Such type of network is known as a covert channel which seems as generic traffic to any network monitor device/application and network admin. It could be considered as steganography, but it is not exactly steganography. Two endpoint users can use the covert channel for undetectable communication from network admin.

The red teamers use covert channels for data exfiltration in red teaming operations through a legitimate network and the data exfiltration is a process of secretly sharing data between two endpoints.

Table of Content

What is Covert channel

  • Type of covert channel

Covert channel attack using tunnelshell

  • What is Tunnelshell
  • Covert ICMP Channel
  • Covert HTTP Channel
  • Covert DNS Channel

What is the covert channel?

The word covert means “hidden or undetectable” and Channel is “communication mode”, hence a covert channel denotes an undetectable network of communication. This makes the transmission virtually undetectable by administrators or users through a secret channel. It’s very essential to know the difference between encrypted communication and covert communication. In covert communication, the data stream is garbled and lasting by an unauthorized party. However, encrypted communications do not hide the fact that there has been a communication by encrypted the data travelling between both endpoints.

Type of covert channel

Storage covert Channel: Communicate by modifying a “storage location”, that would allow the direct or indirect writing of a storage location by one process and the direct or indirect reading of it by another.

Timing Covert channels – Perform operations that affect the “real response time observed” by the receiver.

Note: The well – known Spectre and Meltdown use a system’s page cache as their covert channel for exfiltrating data.

The specter and Meltdown attacks work by tricking your computer into caching privileged memory and through miscalculated speculative execution, a lack of privilege checking in out-of-order execution, and the power of the page cache. Once privileged memory is accessed the processor caches the information and the processor is able to retrieve it from the cache, regardless of whether its privileged information or not.

Read the complete article from here.

Covert Channel Attack Using Tunnelshell

It is possible to use almost any protocol to make a covert channel. The huge majority of covert channel research has based on layer 3 (Network) and layer 4 (Transport) protocols such as  ICMP, IP and TCP. Layer 7 (Application) protocols such as HTTP and DNS are also frequently used. This mechanism for conveying the information without alerting network firewalls and IDSs and moreover undetectable by netstat.

What is tunnelshell?

Tunnelshell is a program written in C for Linux users that works with a client-server paradigm. The server opens a /bin/sh that clients can access through a virtual tunnel. It works over multiple protocols, including TCP, UDP, ICMP, and RawIP, will work. Moreover, packets can be fragmented to evade firewalls and IDS.

Let’s go with practical for more details.

Requirement

  • Server (Kali Linux)
  • Client (Ubuntu18.04)
  • Tool for Covert Channel (Tunnelshell) which you can download from here.

Here, I’m assuming we already have a victim’s machine session through the c2 server. Now we need to create a hidden communication channel for data exfiltration, therefore, install tunnelshell on both endpoints.

Once you download it, then extract the file and compile it as shown below:

Similarly, repeat the same at the other endpoint (victim’s machine) and after completion, execute the following command in the terminal to open communication channel for the server (Attacker).

By default, it sends fragment packet, which reassembles at the destination to evade from firewall and IDS.

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

Syntax: ./tunnel -i <session id (0-65535)> -d <delay in sending packets> -s <packet size> -t <tunnel type> -o <protocol> -p <port> -m <ICMP query> -a <ppp interface> <Victim’s IP>

frag: It uses IPv4 fragmented packets to encapsulate data.  When some routers and firewalls (like Cisco routers and default Linux installation) receives fragmented packets without headers for the fourth layer, they permit pass it even if they have a rule that denies it. As you can observe that it is successfully connected to 10.10.10.2 and we are to access the shell of the victim’s machine.

As I had said, if you will check the network statics using netstat then you will not observe any process ID for tunnelshell. From the given below image, you can observe that with the help of ps command I had checked in process for tunnelshell and then try to check its process id through netstat.

Let’s take a look of network traffic generated between 10.10.10.1 (Attacker’s IP) and10. 10.10.2 (Victim’s IP) using Wireshark. The network flow looks generic between both endpoints, but if it monitors properly, then a network administrator could sniff the data packet. As you can observe that Wireshark has captured the covert traffic and sniff the data that was travelling between two endpoint devices.

Covert ICMP Channel

As we know Ping is the use of ICMP communication that use icmp echo request and icmp echo reply query to establish a connection between two hosts, therefore, execute the below command:

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

As you can observe that it is successfully connected to 10.10.10.2 and the attacker is able to access the shell of the victim’s machine.

Again, if you will capture the traffic through Wireshark then you will notice the ICMP echo request and reply packet is being travelled between both endpoints. And if you will try to analysis these packets then you will be able to see what kind of payload is travelling as ICMP data.

Covert HTTP Channel

It establishes a virtual TCP connection without using three-way handshakes. It doesn’t bind any port, so you can use a port already use it by another process, therefore execute the below command:

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

As you can observe that it is successfully connected to 10.10.10.2 and again attacker is able to access the shell of the victim’s machine.

on other side, if you consider the network traffic then you will notice a tcp communication establish without three-way-handshake between source and destination.

Covert DNS Channel 

To establish DNS covert channel, we need to run UDP tunnel mode on both endpoint machines. Therefore, execute the following command on the victim’s machine:

Similarly, execute following on your (Attacker) machine to connect with a tunnel.

As you can observe here the DNS malformed packet contains the data travelling between both endpoint machine.

Conclusion: Covert channel does not send encrypted data packet while data exfiltration, therefore, it can easily sniff, and network admin can easily conduct data loss and risk management.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here