Skip to content
/ PyExfil Public
forked from ytisf/PyExfil

A couple of beta stage tools for data exfiltration

License

MIT license
0 stars 136 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

chubbymaggie/PyExfil

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
pyexfil
pyexfil
 
 
DOCUMENTATION.md
DOCUMENTATION.md
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
setup.py
setup.py
 
 

Repository files navigation

PyExfil

Abstract

This started as a PoC project but has later turned into something a bit more. Currently it's an Alpha-Alpha stage package, not yet tested (and will appriciate any feedbacks and commits) designed to show several techniques of data exfiltration is real world scenarios. Currently here are what the package supports and what is allows is:

  • DNS query.
  • HTTP Cookie.
  • ICMP (8).
  • NTP requests.
  • BGP Open.

Package is still not really usable and will provide multiple issues. Please wait for a more reliable version to come along. You can track changes at the official GitHub page. The release of Symantec's Regin research was the initiator of this module. It is inspired by some of the features of Regin. Go read about it :)

Techniques

DNS

This will allow establish of a listener on a DNS server to grab incoming DNS queries. It will then harvest them for files exfiltrated by the client. It does not yet allow simultaneous connections and transfers. DNS packets will look good to most listeners and Wireshark and tcpdump (which are the ones that have been tested) will show normal packet and not a 'malformed packet' or anything like that.

HTTP Cookie

Exfiltration of files over HTTP protocol but over the Cookies field. The strong advantage of this is that the cookie field is supposed to be random noise to any listener in the middle and therefore is very difficult to filter.

ICMP

Uses ICMP 8 packets (echo request) to add a file payload to it. It reimplemented ICMP ping requests and some sniffers are known to capture it as malformed packets. Wireshark currently displays it as a normal packet.

Future Stuff

Version Alpha

  • Check why HTTP Cookie exfiltration keeps failing CRC checks. (Fixed in patch #7 by Sheksa)
  • Add NTP exfiltration. (Thanks to barachy for the idea)
  • Complete NTP listener.
  • BGP Data exfiltration + listener.
  • Write a proper Documentation.
  • Fix that poorly written setup.py.
  • More QA needed and fast!

Version Beta

  • Enable simultaneous support for all data exfiltration methods.
  • Translate module to C Windows.
  • Translate module to C Linux.
  • Get a damn logo :)

Thanks

Thanks Wireshark for your awesome wiki and tool. Especially packet dumps. Thanks to barachy and AM for ideas on protocols to use.

About

A couple of beta stage tools for data exfiltration

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Languages

  • Python 100.0%