Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Data Exfiltration Techniques and Countermeasures (Pentester’s Perspective)

Data Exfiltration Techniques and Countermeasures (Pentester’s Perspective)

Presented at null Dubai Meet 27 October 2017 Monthly Meet


Pralhad Chaskar

October 27, 2017


  1. Data Exfiltration Techniques and Countermeasures (Pentester’s Perspective) By : Pralhad

    Chaskar (@c0d3xpl0it)
  2. Data Exfiltration Exfiltration refers to techniques and attributes that result

    or aid in the adversary removing files and information from a target network. Ref :- https://attack.mitre.org/wiki/Exfiltration
  3. What are crown jewel to any business? • Personal Identifying

    Information (PII) • PCI Data • Patient Health Information (HIPAA) • Intellectual property • Etc.
  4. Why Pentester need to know Exfiltration ? • Regular Pentest

    revolves around finding and exploiting particular vulnerability in system Or Testing security controls at current point of time Or achieve Domain Admin ;) • When attacker are exfiltrating data from victim, why cant we test same and aid customer’s before outsider exploits.
  5. Ways of Exfiltration • Automated Exfiltration • Data Compressed •

    Data Encrypted • Data Transfer Size Limits • Exfiltration Over Alternative Protocol • Exfiltration Over Command and Control Channel • Exfiltration Over Other Network Medium • Exfiltration Over Physical Medium • Scheduled Transfer Ref :- https://attack.mitre.org/wiki/Exfiltration
  6. Tricks of the trades • After you have foothold in

    the network • Step1: Find out what ports are allowed from inside to out • nmap –sS –Pn open.zorinaq.com • nmap –sS –Pn portquiz.net • Step2: Choose the protocol over which you want to exfiltration the data • Step 3: Choose the data you want to exfiltrate • Step4: Start exfiltration
  7. None
  8. Tool of Trade : Egress-Assess

  9. What this tool does ? • It works on standard

    client/server model • Simulates data exfiltration • Exfiltrate data over multiple protocols • HTTP / HTTPS • FTP / SFTP • ICMP • SMB • DNS / • DNS_Resolved • Simulates Malware or APT Traffic • Easy to Go ;)
  10. None
  11. Countermeasure (…some of them) • Firewall Egress filters • Don’t

    blindly trust perimeter security tool, test them !! • Monitor the volume and frequency of data transmission by your users over email and other organizational messaging tools. • Block Unauthorized Communication Channels • Prevent Phishing Attacks and Credential Theft • Security-aware Employees
  12. None