Defensive Go back to all


Hack In The Box 2019 - AMS - In & Out: Network Data Exfiltration Techniques

- By Leszek Miś

The "In & Out: Network Data Exfiltration Techniques" training has been officially accepted @ HiTB AMS 2019. The registration is still open.
We are going to have a very intensive 2-day training session about post exploitation adversary simulations and network data exfiltration techniques.

We had a full class during the BruCON 2018 and Hack In The Box in Dubai last year and many times on-site for Polish biggest companies, so let's repeat it in Amsterdam!

Check out the list of available lab scenarios based on my security assessment experience:

  • Overview of automated, ready to use detection tests based on MITRE's ATT&CK.
  • Log patterns for critical network services -> generating unseen network events -> log entries based on CVE-2018-15473, CVE-2016-2776, ns-slapd OOM killer DOS and more.
  • One-liners for bind/reverse shells.
  • Network hops chaining and hiding behind open proxies.
  • Tunneling traffic into internal networks.
  • Hiding and tunneling traffic to external hosts - Domain fronting/web categorization.
  • Obfuscation techniques for Linux, cmd. exe and Powershell.
  • Cool examples of LOLbins + GTFOs.
  • Bypassing and generating WAF alerts / Out-of-band SQL Injections and more.
  • Malware network patterns - dumping and analyzing malicious PCAP dumps, grabbing IOCs and diving into the sandbox environment.
  • The importance of egress filtering - getting outbound-filtering rules ready for your shellz!
  • Generating stageless and staged payloads in different formats + whitelist bypassing + armoring exe files + sandbox detection.
  • Network and OS artifacts for upgrading the shells and changing the transport on the fly.
  • Request throttling, behavior tunning and profile customization of beacon/shell connections.
  • Local network scanning from the pwned OS/browser through XSS.
  • Looping, port forwarding, pivoting and routing tricks through Meterpreter / Empire sessions.
  • Linux ELF in-memory code execution for generating network events.
  • Setup reverse proxy & valid TLS / SSL certificates for your C2.
  • Desktop and camera capturing live.
  • Powershell file compression / encryption for stolen data.
  • Data exfiltration and tunneling over ICMP.
  • Handy tcpdump / Wireshark tips and tricks during malware investigation.
  • DLP validation through data exfiltration using multiple network channels at once.
  • C2 hidden channels over the clouds.
  • Probing for valid DNS RR, DNS security checks, DNS anomalies, exfiltration, tunneling, and port forwarding.
  • Customizing your own instance of dnscat2.
  • Using emerging network protocols for data leak testing: QUIC, HTTP2, DoH.
  • DGA generators and network traffic artifacts.
  • NTLM Multi-relaying and command execution + BadPDF.
  • Socat tips and tricks.
  • Playing with LDAP as C2 and payload delivery channel.
  • Simulated, automated sending browser exploits.
  • Ship your Empire and Metasploit with Docker +
  • Using post-exploitation modules for lateral movements: smbexec, pth, wmiexec
  • Auditing and exfiltrating data against layer 7 inspection rules on NG-firewalls.
  • HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies, QUIC, HTTP2, WebDAV, WebSockets
  • A combo of text-based steganography and hiding in images.
  • TOR network traffic simulations.
  • P2P network traffic simulations.
  • Network flooding: UDP flood, TCP SYN/FIN/RST/PUSH/ACK flood, ICMP flood, HTTP.
  • An example of DHCP Starvation.
  • Running BF against network services and web apps vs WAF.
  • Simulating and analyzing DNS rebinding.
  • Focusing on network/exfiltration/ modules of Nishang, PowerSploit, Powercat, Empire.
  • The world of web shells.
  • Using SMB named pipes for C2.
  • Silver / Golden tickets / Kerberoasting / DCsync / DCShadow.
  • RDP exfiltration.
  • IPtables + logging rules as a method of data exfiltration via packet port numbers.
  • Punching holes in your NAT.
  • SSH tunneling tips and tricks.

Clearly, network exfiltration simulations is a very broad topic. A lot of network, OS and application insights, many different layers, a huge amount of related but *not-only-exfiltration* oriented techniques and a lot of amazing open source projects to cover. All that for achieving better validation of your security solutions, understanding the current status of your network security posture, finding risks, identifying network security blind spots and unexpected, uncovered spaces by simulating a real, offensive cyber adversary network behavior.

Save the dates: May 7-8, 2019 - Amsterdam

Registration link: