sneaky-creeper
Using social media as a tool for data exfiltration.
Usage
See screep
:
from sneakers import Exfil
print(Exfil.list_channels())
print(Exfil.list_encoders())
channel = "file"
encoders = ["b64"]
dataz = "very secret and private message"
# think of the exfil object like a tube
# (or some kind of weird socket)
t = Exfil(channel, encoders)
t.set_channel_params({'sending': {'filename': 'test.txt'},
'receiving': {'filename': 'test.txt'}})
t.set_encoder_params('b64', {})
# this isn't actually necessary, just for demonstration
print(t.channel_config())
print(t.encoder_config('b64'))
t.send(dataz)
print(t.receive())
Setup
Dependencies:
virtuelenv venv && source venv/bin/activate && pip install -r requirements.txt
There have been some odd issues with dependencies due to the way sneaky-creeper dynamically imports modules (the runtime imports tend to ignore virtualenvs). These have been solved in the past by installing modules globally using pip install --user -r requirements.txt
, which is a pretty ugly hack. We're working on a better solution. Go ahead and try the above, and if it fails, open an issue so we can take a look.
API Keys:
Twitter:
Instructions are here: http://twython.readthedocs.org/en/latest/usage/starting_out.html
When the instructions are complete, go to the Twitter API page
Examine your access level for Consumer Key and Access Key and be sure they are set to read and write.
- If not set to read and write, change the Consumer Key settings to be read and write
- Revoke the Access Token
- Wait five minutes
- Generate a new access token
It should now mimic the access level of the Consumer Key
Tumblr:
Make a Tumblr account and create an app. Then, visit the API console and note down the four strings there; these are your key
, secret
, token
, and token_secret
.
Soundcloud:
Make a Soundcloud account and register an app. Visit your apps console and note the strings for Client ID and for the Client Secret. These are for the ID
and secret
, while your username and password are for the username
and password
.
Salesforce:
First, set up a Salesforce developer edition account. Define a connected app.Make sure it has full permissions, and don't worry about the callback URL - it won't be used. Once you've successfully defined your app, note down the client_id
and client_secret
tokens. Lastly, reset your security token and note down its value.
Google Spreadsheets:
Follow the instructions found at http://gspread.readthedocs.io/en/latest/oauth2.html. You can stop noce you've noted down your client_email
and private_key
. You then need to create a Google Sheet (in the same account you just authorized!), and note down its title, then share it (using Google's share feature) with the email account you noted down as client_email
.
Tests
source venv/bin/activate && nosetests
will run all the tests. Note that this will leave random junk on some of the channels you have set up - you've been warned! Credentials for these tests should go in sneakers/config/
- there's another readme there to help you out.