Introducing DET [Data Exfiltration Toolkit] presented at bsidesljubljana 2016

by Paul Amar,

Summary : The Data Exfiltration Toolkit (DET) makes the process of exfiltrating data from networks simpler. It supports numerous protocols and techniques, and can use them simultaneously.
Typically, depending on where you are located on a network, different types of traffic restrictions may be in place; either protocol/destination network restrictions or content/application proxy restrictions. Several separate tools and techniques exist to assist in circumventing these restrictions, but most exist as stand alone tools, each with different requirements and setup overhead.
DET has numerous plugins that can be used to attempt different egress techniques from the same tool, including both applications such as Gmail, Skype, Twitter but also protocols such as HTTP, DNS, ICMP or even Tor. Additionally, DET has a simple plugin architecture that allows for the rapid development of new plugins.
Additionally, DET can make use of multiple techniques simultaneously, chunking the data between them. This prevents the requirement for a single external server and further allows DET to hide extracted data in plain sight. It has been found effective against several DLP solutions.
Moreover, data obfuscation techniques have been used such as Markov chains obfuscation (initiated by Brian Wallace) making the data looks like proper text. Few other steganography techniques are also investigated such as hiding text using common Least Significant Bit (LSB) technics.
In this talk, Paul will present the concepts behind DET, new ways of exfiltrating data, release the tool with some live demos (demo god, brace yourself) including the DLP bypasses..