• Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 10 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Get your APT on using social media as a tool for data exfiltration.

sneaky-creeper

Using social media as a tool for data exfiltration.

diagram

Usage

See screep:

  from sneakers import Exfil

  print(Exfil.list_channels())
  print(Exfil.list_encoders())

  channel = "file"
  encoders = ["b64"]

  dataz = "very secret and private message"

  # think of the exfil object like a tube
  # (or some kind of weird socket)
  t = Exfil(channel, encoders)

  t.set_channel_params({'sending': {'filename': 'test.txt'},
                        'receiving': {'filename': 'test.txt'}})

  t.set_encoder_params('b64', {})
  # this isn't actually necessary, just for demonstration

  print(t.channel_config())
  print(t.encoder_config('b64'))

  t.send(dataz)

  print(t.receive())

Setup

Dependencies:

virtuelenv venv && source venv/bin/activate && pip install -r requirements.txt

There have been some odd issues with dependencies due to the way sneaky-creeper dynamically imports modules (the runtime imports tend to ignore virtualenvs). These have been solved in the past by installing modules globally using pip install --user -r requirements.txt, which is a pretty ugly hack. We're working on a better solution. Go ahead and try the above, and if it fails, open an issue so we can take a look.

API Keys:

Twitter:

Instructions are here: http://twython.readthedocs.org/en/latest/usage/starting_out.html

When the instructions are complete, go to the Twitter API page

Examine your access level for Consumer Key and Access Key and be sure they are set to read and write.

  1. If not set to read and write, change the Consumer Key settings to be read and write
  2. Revoke the Access Token
  3. Wait five minutes
  4. Generate a new access token

It should now mimic the access level of the Consumer Key

Tumblr:

Make a Tumblr account and create an app. Then, visit the API console and note down the four strings there; these are your key, secret, token, and token_secret.

Soundcloud:

Make a Soundcloud account and register an app. Visit your apps console and note the strings for Client ID and for the Client Secret. These are for the ID and secret, while your username and password are for the username and password.

Salesforce:

First, set up a Salesforce developer edition account. Define a connected app.Make sure it has full permissions, and don't worry about the callback URL - it won't be used. Once you've successfully defined your app, note down the client_id and client_secret tokens. Lastly, reset your security token and note down its value.

Google Spreadsheets:

Follow the instructions found at http://gspread.readthedocs.io/en/latest/oauth2.html. You can stop noce you've noted down your client_email and private_key. You then need to create a Google Sheet (in the same account you just authorized!), and note down its title, then share it (using Google's share feature) with the email account you noted down as client_email.

Tests

source venv/bin/activate && nosetests will run all the tests. Note that this will leave random junk on some of the channels you have set up - you've been warned! Credentials for these tests should go in sneakers/config/ - there's another readme there to help you out.

More Repositories

1

pushpin-web

Monitor geotagged social media from multiple platforms in real time.
JavaScript
75
star
2

practical-malware-analysis

Working through Practical Malware Analysis from No Starch Press
13
star
3

hamming-stego

Use Hamming codes to error correct steganographically encoded data.
Python
8
star
4

strava-scraper

Scrape Strava for great glory
Python
7
star
5

particle-filter

A particle filter. Go figure!
Python
7
star
6

multicat

PoC RAT using the sneaky-creeper data exfiltration library
Python
3
star
7

burner-phone-challenge

Can you identify a burner phone from a stream of (fake) AT&T Hemisphere data?
Jupyter Notebook
3
star
8

cors-test-server

A simple little server to play around with and better understand various CORS configurations.
HTML
3
star
9

robot-street-signs

Building a Neato that can recognize and obey simple street signs.
Python
2
star
10

mailgraph

Build a GEFX graph file of who has sent mail to whom.
Python
2
star
11

motor-encoder

Encoder and simple controls setup for a small, cheap DC motor.
Arduino
1
star
12

tweeter-seeker

Easily build graph databases of Twitter data.
Python
1
star
13

kcl-course-scheduling

Scrape the King's College London timetables and determine which classes you can take.
Python
1
star
14

dotfiles

One script to set up my environment with vim, bash, git, etc.
Vim Script
1
star
15

strava-analysis

Analyzing data scraped from Strava
Jupyter Notebook
1
star
16

3d-scanner

3D scanner using an infrared distance sensor and two servos.
Arduino
1
star
17

honeybadger-red

PHP
1
star
18

honeybadger-java-agent

A Java applet geolocation agent for Honeybadger (https://github.com/lanmaster53/honeybadger)
Java
1
star
19

strava-search-engine

Search through a database created using https://github.com/dakotanelson/strava-scraper/
JavaScript
1
star