# Protected File Transfers ### πŸ” Protected File Transfers – Doing It the Right Way As **penetration testers**, we often deal with sensitive data: * πŸ§‘β€πŸ€β€πŸ§‘ User credentials * πŸ—ƒοΈ Domain enumeration data * πŸ› οΈ Tools like `NTDS.dit`, `LSASS`, and scan logs It’s **critical** that we **encrypt** anything we extract β€” both to protect clients and our own reputation. A simple oversight (like exfiltrating in plaintext) can lead to **serious consequences**. 🚨 *** ### 🧠 Pro Tip If your goal is **DLP testing**, use **dummy data** that mimics sensitive content. Never transfer real **PII, credentials, or trade secrets** unless authorized. *** ## πŸͺŸ File Encryption on Windows #### πŸ”’ [Invoke-AESEncryption.ps1](https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions/Invoke-AESEncryption.ps1) A lightweight and powerful **PowerShell script** that encrypts/decrypts: * πŸ” Strings * πŸ“„ Files *** #### πŸ“₯ Importing the Script ```powershell Import-Module .\Invoke-AESEncryption.ps1 ``` After that, you can use it like any other cmdlet. βœ… *** #### πŸ“¦ Usage Examples **1️⃣ Encrypt a String (Base64 output)** ```powershell Invoke-AESEncryption -Mode Encrypt -Key "p@ssw0rd" -Text "Secret Text" ``` **2️⃣ Decrypt a String** ```powershell Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Text "" ``` **3️⃣ Encrypt a File** ```powershell Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt ``` πŸ”„ Output: `scan-results.txt.aes` **4️⃣ Decrypt a File** ```powershell Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\scan-results.txt.aes ``` *** ## 🐧 File Encryption on Linux #### πŸ”’ OpenSSL Encryption OpenSSL is built into most Linux distros and allows you to encrypt files with AES-256 πŸ’ͺ **πŸ” Encrypt a File** ```bash openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc ``` You’ll be prompted to enter a password πŸ”‘ *** **πŸ”“ Decrypt a File** ```bash openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd ``` Same password required to decrypt. *** #### πŸ›‘οΈ Security Best Practices * βœ… Use **strong, unique passwords** for each engagement * ❌ Avoid using the **same encryption key** across clients * ⚠️ If encryption is not an option, **do not exfil** highly sensitive files * πŸ’¬ Communicate encryption methods clearly in your report *** ### 🧳 Transfer Tips Once encrypted, you can safely transfer files using: * βœ… HTTPS * βœ… SFTP * βœ… SCP/SSH * βœ… Encrypted tunnels ❌ Avoid: Plain HTTP, SMB, FTP unless you're **testing insecure protocols** ***