Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is to go after sensitive information and exfiltrate it to servers under their control.
To prevent this from occuring, a whole industry has popped up with the aim of stopping exfiltration attacks. However, often these are expensive and rarely work as expected. With this in mind, I created the Data Exfiltration Toolkit (DET) to help both penetration testers testing deployed security devices and those admins who’ve installed and configured them, to ensure they are working as expected and detecting when sensitive data is leaving the network.
What is DET?
DET aims to provide a framework to assist with exfiltrating data using either one or several channels.
Social media has become extremely popular in recent attacks such as HammerToss, campaign uncovered by FireEye in July 2015.
Several tools are also publicly available allowing you to remotely access computers through “legitimate” services such as Gmail (GCat) or Twitter (Twittor).
Artturi Lehtiö, from F-Secure presented “C&C as a service” which explained how malware authors abuse legitimate third party services in malware campaigns. As a result of this, DET was born.
How does it work?
The idea was to create a generic framework that would allow you to implement any kind of protocol/service. Essentially, if we go back to the root of exfiltrating data, we can consider only two steps: Sending data, and receiving it.
All plugins follow this same architecture and should provide both capabilities.
Since the initial release, we’ve had a few changes made and as a result, a host of new features have been integrated. One of the cooler ones was AES encryption thanks to Ryan O’Horo (Cheers for your contributions!)
DET in action
Here are some videos that show DET in action:
Retrieving files (server-side) using ICMP channel:
Retrieving files (server-side) using combined channels (Twitter + Gmail):
Where can I download DET from?
You can find out more about DET, and do a git clone, over at https://github.com/sensepost/det
The slides for my talk at BSides Ljubljana, in Slovenia can be found here
Happy hacking!