introducing (det) the data exfiltration toolkit
TRANSCRIPT
![Page 1: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/1.jpg)
Introducing DET(Data Exfiltration Toolkit)
Paul Amar - BSides Ljubjana - 09/03/2016
![Page 2: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/2.jpg)
![Page 3: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/3.jpg)
100
![Page 4: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/4.jpg)
![Page 5: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/5.jpg)
General Approach
TCP
DNS
HTTP
ICMP
SMTP
![Page 6: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/6.jpg)
General Approach
TCP
DNS
HTTP
ICMP
SMTP
![Page 7: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/7.jpg)
General Approach
TCP
DNS
HTTP
ICMP
SMTP
![Page 8: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/8.jpg)
General Approach
TCP
DNS
HTTP
ICMP
SMTP
![Page 9: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/9.jpg)
General Approach
TCP
DNS
HTTP
ICMP
SMTP
![Page 10: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/10.jpg)
General Approach
TCP
DNS
HTTP
ICMP
SMTP
![Page 11: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/11.jpg)
HammerToss (July 2015)
![Page 12: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/12.jpg)
What’s available today?
![Page 13: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/13.jpg)
What’s available today?
And many more.. created almost everyday.
Not kidding.
![Page 14: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/14.jpg)
Current state TCP
DNS
HTTP
ICMP
Twitter DMs
SMTP (eg. Gmail)
![Page 15: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/15.jpg)
Introducing DET
![Page 16: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/16.jpg)
Configuration file (JSON format)
![Page 17: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/17.jpg)
File to exfiltrate
![Page 18: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/18.jpg)
Folder to exfiltrate / multi-threaded
![Page 19: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/19.jpg)
Plugin(s) to use
![Page 20: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/20.jpg)
Plugin(s) to exclude
![Page 21: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/21.jpg)
Server mode
![Page 22: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/22.jpg)
Configuration file
List all your plugins and their configuration
![Page 23: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/23.jpg)
Configuration file
Each plugin has its own configuration
(username, pwd, …)
![Page 24: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/24.jpg)
Configuration file
Additional configuration (XOR Key, Sleeping time, …)
![Page 25: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/25.jpg)
Let’s dig a bit (Client-side)
![Page 26: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/26.jpg)
“Registration” phase 1/2
![Page 27: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/27.jpg)
“Registration” phase 2/2
![Page 28: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/28.jpg)
Sending the data 1/2
![Page 29: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/29.jpg)
Sending the data 2/2
![Page 30: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/30.jpg)
“End” phase 1/2
![Page 31: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/31.jpg)
“End” phase 2/2
![Page 32: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/32.jpg)
So in few words..
![Page 33: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/33.jpg)
![Page 34: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/34.jpg)
![Page 35: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/35.jpg)
![Page 36: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/36.jpg)
But wait! There’s moar.
![Page 37: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/37.jpg)
Additional plugins (Tor Integration) 1/2
Source: http://foxglovesecurity.com/2015/11/02/hack-like-the-bad-guys-using-tor-for-
firewall-evasion-and-anonymous-remote-access/
![Page 38: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/38.jpg)
Additional plugins (Tor Integration) 2/2
![Page 39: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/39.jpg)
“Experimental” plugins
![Page 40: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/40.jpg)
![Page 41: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/41.jpg)
What’s next
- Port DET *entirely* to PowerShell (With Plugin based) (“Empire”-like)
- More plugins!
- Data obfuscation layer using Markov Chains
- https://github.com/bwall/markovobfuscate
![Page 42: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/42.jpg)
![Page 43: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/43.jpg)
![Page 44: Introducing (DET) the Data Exfiltration Toolkit](https://reader033.vdocuments.mx/reader033/viewer/2022050614/5882d7ae1a28abf8388b74f5/html5/thumbnails/44.jpg)
InstallationGet/install it:
- git clone https://github.com/sensepost/DET
- pip install -r requirements --user (instal dependencies for the local user)
Client side:
- python det.py -f /etc/passwd -c ./config.json (or PS scripts)
Server side:
- python det.py -L -c ./config.json