This is a POC of deta exfiltration on port 80, using python , taking some measurs to obfuscate.
Common fiulds for client and server are in single configuration file.
- Having massage on file (can be set of files).
- Creating a 32 bytes key.
- Saving key on file.
- Creating a 16 bytes IV.
- Encrypting with AES EAX the message using the key and IV.
- Encoding IV to base64.
- Getting hash of base64 message sum (sha256)
- Splitting message to random length of strings and adding numerator for each string.
- Encoding each munbered pached to base64.
- Sending b64 IV with random phrase header to server.
- Sending each packet with random phrase header to server.
- Sleeping for random time (from 1 to 3 sec)
- Sending b64 check hash with closing phrase header to server.
- Listening on port 80 and whaiting for start signal.
- Start recording data when found a phrase from random fuild prases in packet hedear.
- Recording all data until close phrase in packet header.
- Sending 200 response when getting packets
- puting packets in dict, spliting numerators and sorting by keys.
- Extracting IV and checksum from dict and decoding from base64.
- Combining dict to string.
- Getting hash of base64 message sum (sha256) and comparing to one from client.
- If OK, decoding message from base64.
- Reading key from file
- Decrypting message using key and IV.
- DONE !
- Modify server IP address on client sctipt.
- Modify sending message file (or create a script for all .docx files).
- Run server script on C2 computer.
- Generated key from client need to be shared with server.
- Run client script on dedicated computer.
- Client side - send packets on computer HTTP requests to obfuscate trafic.
- C2 server to generate random key, client will ask for key to encrypt data.
- Use HTTPS communication.