A common way of getting tools on to a machine, or exfilling data is to encode it in some way and paste it in or out, something like xxd or base64. So you don’t have to open up yet another channel, in or out. A wget outbound or scp in/outwards would run the risk of triggering more IDS.
So from seeing @phreakocious be a network engineer and do cool with zmodem, it got me thinking. I would totally exfil via zmodem (as it’s way better than xmodem and kermit!). There’s a bunch of people already doing this in iTerm2 on OSX, so it’s useful in general, but I’ve never heard of it being used for this. No, no one say SCADA because it uses modems.
Because it’s your terminal parsing it, you don’t need need to worry too much about the quality of your shell; netcat is adequate.
The saving grace here is the fact that ‘rz’ and ‘sz’ are never used any more, because it’s 2014. So them being run, if they’re even installed, is a strong signal something is up. But a fun hack.
“If they think you’re crude, go technical; if they think you’re technical, go crude. I’m a very technical boy.”