DocsRelease Notes

Exfilkit Container Task

Suggest Edits

Overview

The exfilkit container task uses HTTPUploadExfil to provide an HTTP and HTTPs file exfiltration server that allows for testing of basic exfiltration techniques. Files that are uploaded to an exfilkit listener are stored in the container task's local shared directory.

The source code for the exfilkit container task is available here: https://github.com/havocsh/havoc-attack-containers/tree/main/exfilkit
The container image for the exfilkit container task is available here: https://gallery.ecr.aws/havoc_sh/exfilkit

Launching an Exfilkit Container Task

To launch an Exfilkit container task as an ECS task within the AWS account of your ./havoc deployment, use the task_startup or run_task command:

task_startup --task_name=<task_name> --task_type=exfilkit --task_host_name=<task_host_name> --task_domain_name=<task_domain_name> --portgroups=<portgroup1,portgroup2,...> --end_time=<time_string>

run_task --task_name=<task_name> --task_type=exfilkit --task_host_name=<task_host_name> --task_domain_name=<task_domain_name> --portgroups=<portgroup1,portgroup2,...> --end_time=<time_string>

To launch an Exfilkit container task as a remote container task on any system that can run Docker containers, use the docker run command:

sudo docker run -d \
  --name=<container-name> \
  --network host \
  --cap-add SYS_ADMIN \
  -e "LOCAL_IP=$(hostname -I)" \
  -e "CAMPAIGN_ID=<campaign-id>" \
  -e "USER_ID=<campaign-user-id>" \
  -e "TASK_NAME=<task-name>" \
  -e "TASK_CONTEXT=<task-context>" \
  -e "REMOTE_TASK=true" \
  -e "API_KEY=<api-key>" \
  -e "SECRET=<secret>" \
  -e "API_DOMAIN_NAME=<api-domain-name>" \
  -e "API_REGION=<api-region>" \
  public.ecr.aws/havoc_sh/exfilkit:latest \
  /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

Refer to the Usage Through CLI Console and Usage Through SDK pages for more details about the run_task and docker run commands.

Available Commands

These commands are available to be passed as the instruct_command in the instruct_task method call. The sub-bullets under the commands are the arguments for the command that should be passed in the instruct_args parameter. See the Usage Through CLI Console and Usage Through SDK pages for more details on how to use instruct_args.

  • start_http_exfil_server - instruct the exfilkit container task to start an HTTP exfil server on a specified port.
    • listen_port - (Required) the port number the HTTP exfil server should listen on. The listener will automatically use TLS encryption if a certificate has been generated with the cert_gen command.
  • stop_http_exfil_server - stop the running HTTP exfil server.

    Note that the instruct_instance passed with this command has to contain the same value as the instruct_instance that was used with the start_http_exfil_server command.

  • cert_gen - generate a self-signed certificate that can be used with an http listener.
    • subj - the SSL certificate subject to apply to the certificate. The subject value must follow the format expected by openssl's -subj parameter. Specify either subj or domain but not both.
    • domain - the domain to use when requesting a Let's Encrypt certificate (note that the domain must be registered with your ./HAVOC campaign through the create_domain command). Specify either domain or subj but not both.
    • test_cert - indicate whether or not to request a test certificate from Let's Encrypt (True|False).
  • echo - get an arbitrary response from the container task (can be used to check if the container is responsive to commands).
  • sync_from_workspace - download all files from the Campaign's workspace to the local workspace directory on the container task.

    Note that this will overwrite any existing files with the same name in the container task's local workspace.

  • sync_to_workspace - upload all files from the container task's local workspace directory to the Campaign's workspace.

    Note that this will overwrite any existing files with the same name in the Campaign's workspace.

  • download_from_workspace - download a specific file from the Campaign's workspace to the container task's local workspace directory.
    • file_name - the name of the file to be downloaded.

      Note that this will overwrite any existing file with the same name in the container task's local workspace.

  • upload_to_workspace - upload a specific file from the container task's local workspace directory to the Campaign's workspace.
    • file_name - the name of the file to be uploaded.

      Note that this will overwrite any existing file with the same name in the Campaign's workspace.

  • ls - list files of the container task's local shared directory.
  • del - delete a file from the container task's local shared directory.
    • file_name - the name of the file to be deleted.
  • terminate - instruct the container task to shutdown.

Updated 7 months ago