 So, if you're in here, this is the esoteric exfiltration talk. If you're looking for the other one, it's probably in a different room, so this is me. I'm Willa Riggins. I'm a senior penetration tester from Veracode, a member of the FamLab Hacker Space down in Orlando. I'm the DC407 point of contact. I just, I do a lot of things, oh, OSP and B-sides, but really, if you look at my Twitter, I just retweet cats. That's really all I do. All right. So, Exfil 101. How many of you are familiar with exfiltration at all? Anybody in the room? Awesome. So it's the know-it-all crowd. So for those who aren't in the know, data exfiltration is the unauthorized transfer of sensitive information from a target's network to a location that the threat actor controls. That's from a Trendmarco article, but basically that threat actor control is kind of our wishy-washy term here. What is that? Like, that could be their server, could be their social media account, could be their Dropbox, could be anything, right? So why do you care? Data loss costs you money and your sanity. If anybody's ever worked incident response, it sucks when you lose stuff. If you've ever found, like, creds on Payspin that had your name in it, that sucks. So anyway. Back in 2012, Reddit NetSec, anybody follow NetSec on Reddit? Yes. Okay. So I did a survey back in 2012, and 82% of the folks who replied said, hey, this stuff is important. It means a lot to us and our networks and our money and our companies. So let's talk a little bit about covert channels and where to find them. And this is kind of where the meat of the talk is going to be, because I've done all this stuff, I've done the research, I've gotten caught. And the getting caught stuff is kind of the most exciting part, because then you learned how not to do that. So the first thing is mask your traffic with normal usage patterns. So if you know a company uses, you know, social media or their own web traffic, are they using protocols for their everyday business, like FTP or like, you know, everybody uses HTTP or HTTPS. Some folks have RDP open. Just knowing that stuff is really important, because then you can kind of build a model of what does a normal employees traffic look like, and how can I look like that? High data and known safe payloads, so known safe, right? Status updates to Facebook or Twitter, that kind of stuff looks innocuous, right? You probably post like five tweets every minute. That's, you know, that's a lot of data. That's 140 characters times five. Not a huge amount of throughput there, but it's still cool. Like you could do something with that. Same with HTTP posts. How many ASP.NET devs do we have in the room? Yeah. How many of you hate the view state, because it's two meg? Yeah. That's two meg of data, every single request that you could send out, and you know, no one's going to notice it. It's just gone. Encode it, base 64, like view state. Put it in a form and just submit it to whatever web server. That's a meg, you know, every single request, it's gone. The other thing is stay quiet, you know, stay within a normal payload size, like that two meg view state. Don't try and upload 36 gig to Twitter, don't. We've done this. It's not fun. Don't try to do that. You'll get rate limited. People will be like, what the hell is this? Like why are there all these tweets with random data in it? Facebook will probably get really angry if I did that. It's important to realize that not only are you going to get caught by other people seeing that you're posting on this crap, but also it's going to throw a flag on whatever egress is there. So if there's a firewall or an app firewall, they're going to see a spike in traffic and go, what is that? What device did it come from? And that's one way you're definitely going to get caught if you send 36 gig of data over one channel from one device all at the same time. So yeah, definitely stay quiet and set your pallet sizes based on what the channel is. So Twitter obviously has 140 characters. You kind of limit it there. DNS is even smaller. DNS as an exfil method kind of sucks. Facebook gives you a lot more leeway. But there's a lot of management involved with that. But we'll talk about that a little bit later. And encoding, encrypting your data. So depending on who you're doing this for or why you're doing it, you might not want people to know that you stole that data, right? You don't want them to know. You don't want them to Google and be like, why is my name in this weird Twitter stream of binary data? Why is it in there? Because they'll trace it back, figure it out, contact Twitter, which will take a long time. They'll get back and they'll be like, oh, it's this device. It's uploading all this crap from your server. You just want to make sure that people can't find it. There's a really cool tool called Clocify by one of our other attendees who might be here that basically does DLP avoidance. That's a really cool thing that you can use that to kind of transform the data before you send it out. So talking about transport, right? We talked a little bit about why you do the things the way you do them, but let's talk about specific examples. So on the transport layer, you have network protocols. So we can do point-to-point stuff with HTTP. We can do Telnet, Netcat, all that stuff. Third-party drops like Dropbox or putting it on Facebook or anything like that. That's kind of taking the threat actor control to a third-party and then getting it relayed down to another device. So those are cool because it's kind of like a dead drop. And then go into the airwaves, which is something I really wanted to show off today, but I am a terrible, I didn't sacrifice enough things to the demo gods and my demo doesn't work and when the radios I brought don't work. So I will be having to contact Sparkfun and figure out what to do there. So network protocols. The obvious stuff, HTTP, SSH, Netcat. I mean if you can get out with that stuff, by all means use it. Like that's the easiest low-hanging fruit. You're gonna get out, that's fine. And by the time anyone notices you did what you did, as long as you've throttled it and hidden like you're supposed to, no one's gonna notice. You can get all this stuff out. Now if you have a company with a really awesome sock who is going to bust you within like 10 minutes of you doing the thing that you did, maybe you should hide in something else. Like we talked a little bit about RDP. If that's a normal part of your business, you know RDP into another machine, map the drive and Xfill data that way. It's super easy, you don't need a tool to do it. And no one's gonna really notice until later when they're like why is this RDP session using so much data? So that sort of stuff is really interesting. There's some other stuff where like if they use a specific proprietary protocol, I won't name any, but you can basically hide data in that by munging the protocol. So if there's a request that like lists files or something, you could make it so that instead of listing a directory, it lists a base 64 of the data you're Xfilling. You could do some really cool stuff with that. So that's kind of the discrete way of doing that data on the wire stuff. Third party drops, obvious stuff is any file sharing service that will let you upload the size of data that you have. Again, you probably wanna throttle it. And these are typically blocked at some proxy level or an egress firewall. Like if these are available to you, yeah, that's like Xfill's done, we don't need, we have another problem, right? But Payspin, how many of you have Payspin at work? Can you get to Payspin? See, yeah, that's not a lot of hands. That's awesome. So we've blocked Payspin. What else is out there that you could use? Like there's like 12 other services that do exactly the same thing and they're probably unblocked, right? So doing it discreetly, right? We can use Flickr, Imager and do Stego, put it inside of a picture of a squirrel. Done that, that's awesome. Those two services in particular will let you upload things that are completely lossless. So you upload it and you can download it and all your Stego data is there. There's simple Python libraries that do all that stuff. The APIs change constantly, but if you keep up with it, I mean, you can Xfill data that way and when it goes out the firewall, it looks like you're uploading squirrel pictures, which is super weird, but nobody's ever gonna ask you why. So Twitter and Facebook, I put Twitter in the same category as DNS. I kind of hate it as an Xfill method because 140 characters is just too slow and by the time you get any meaningful amount of data out that wall, I mean, it's just, you're gonna have to recompile it and get it all down and it's just no fun. Facebook though, Facebook has this really cool thing called groups. Anybody in Facebook group? Where's the moms in the room? Cause I'm in like 12. Okay, so Facebook groups let you upload files and it is in the API to let you actually upload files into Facebook groups. So I create a fake Facebook count. I create a group with just me in it and I upload a bunch of files and totally do that, right? And most of you at work, Facebook's unblocked. I know the Army does that. I know a lot of the DOD companies do that because it's required for business theory. So you can't block Facebook, can't block Twitter, can't block all these services that I have to use for business. So I'll abuse them and Xfill data. It's cool. So kind of getting past that and doing the air wave stuff. A lot of folks think about this in the tempest realm, right? We talk about you have a room with a Faraday cage on it, you're not gonna get anything out of that room. We've seen talks where they've done fans where you spin the fan at the right oscillation and you can Xfill data that way. I don't know anyone who's done that on a pen test. Has anybody actually done that? Like tempest attacks for Xfill on a pen test where you have two days of sleep and you really don't have the time to set that up? Yeah, you can't do that. That's too much effort for low return. But what if you had a device you could just plug in to a USB port onsite? You broke and entered with your lock picks and your little door tool and you shimmied in. You just plug the tool in the back of the machine and that was it. No Wi-Fi antenna, no like HID device, just a USB serial UR that you plug in and all of a sudden you had a remote connection. You could do a lot with that. You could write code and do all kinds of fun stuff or you could just stream data over it, serial out and the XB radios that I have are like 28 mile range. They do mesh. I have them in my hotel room. If anyone wants to see them, I'll bring them. I just need breakout boards that don't suck. But the cool thing with that is you could build a mesh network that went all the way up the strip and the chances of anyone being able to triangulate each and every node by the time you were done X filling data is extremely low and these things cost like, I think the series that I'm using, they're like 70 bucks. You can get one mile range ones for like 40. So they're kind of like throw away pentest devices. Just strap it to the back of a teensy, plug it in, walk away. Ham radio stuff, you could do APRS, right? Any hands in the room, APRS messaging. It's totally illegal, don't do it. But you could technically X fill over APRS, right? Cause it's just text. It's just text data, it's digital. I could just say, hey, my truck is here, my truck is here, my truck is in Japan, my truck is here. And you could use that to X fill data. And the cool thing with that one is that you can repeat it with internet repeaters and stuff like that. You don't even have to be in the country. You could just X fill with that. And then lasers. How many people are fans of lasers? So basically use the laser mic technique that everybody knows about. Everybody don't know about the laser mic thing. You aim the laser at the glass. You feel the vibrations from the glass. And you read it digitally by reflecting it off something. Do that with data, why not, right? I mean, that stuff's insane and totally out of the scope of pentest, but it sounds really cool, so let's put it in the slide. So all this stuff is about attacking and breaking stuff, but what does the blue team say about all this stuff, right? What do you do? You can't block Facebook, you can't block Twitter. So what the hell are you gonna do? So we can block endpoints. We can block individual malware endpoints. We can block some stuff by URI or IP, right? So every time I stand up a fake service with Pastebin code on it, you block it. Fine, whatever. I can block egress at the firewall by the protocol or application firewall or whatever. I can just shut that down. Whatever the hell you're doing, I'll just block it. You can try to detect anomalies and payload size. So look at the frequency, look at, hey, why is this machine turning on at three in the morning, getting on Facebook and uploading six gig of data? Like why is that happening? That doesn't make any sense. You can look for that stuff and that's cool. And you can block USB devices by class or device ID. Now none of that stuff works. Unfortunately, blacklists just don't work. If you've got a proxy at your company, I won't name names, but a lot of them, like you can stand up a new website, categorize it, get it approved through the proxy service, and it's good to go in 48 hours. So you can stand up your malicious website that looks like a My Little Pony fan site, which is awesome, and then have a slash exfil and just exfil data to that. Like just use your Apache logs, just whatever, it doesn't matter, just stream data out. People think you just really like My Little Pony and that's fine, please don't access that at work. That's as far as the conversation goes. Cool. We can disrupt normal business if we start blocking stuff. So Facebook, Twitter, Dropbox, a lot of companies use that for large file transfers anyway, but if they have to use it, I can use it. And that's kind of like, Moxie Marlinsberg talks about the scope of choice with Google and the Facebook and TIA, and how you can't really not use Facebook if you wanna be friends with everyone, right? So the choice is then, do I interact with people or do I just not participate? And that's what we wanna force people to do as attackers is to decide between making money and preventing my exfil. And there's kind of a balance there, and it's for companies to kind of figure out what's more risky. And context is critical but difficult to automate. You can't, like you can do deep packet inspection, it's awesome, right? DPI can do all kinds of fun things, but if it's inside a squirrel picture and Stegode and all this other stuff, like good luck telling your system to do that. You might have the data in a PCAP somewhere, that's fine. But if you're gonna take my 40,000 squirrel pictures and somehow decode them all, you should go play DEF CON CTF. USB device IDs, those don't work. There's a lot of manufacturers that are just repeating the same ID for whatever the hell it is. And it's, each of those costs money. So why would they pay for a USB device ID for a crappy mouse you bought down the street? Like, they're not gonna do that. So if you try to block it by device ID, it's just not gonna work. So, weaponizing squirrels. Squirrel's the name of a tool, a tool that's not ready today, because I suck at everything. It's a Python 2.7 based application. It'll be MIT licensed. You'll be able to download it, do whatever you want with it, munch it, take it apart, steal code, I don't care. The whole point is that you'll be able to do Xfill and it'll be easy. So it's extensible via simple module based plugins. So all you have to do is write a little bit of a base code for your module for your Xfill channel. And all the, like, taking the file and chunking it up, all that's taken care of, all the logging, all the stuff you don't wanna care about is done. All you have to do is write a send and receive. And so you can put this on the box that you've pwned, execute it with the CLI and Xfill. That's it, that's all you have to do. So this is what it looks like when you execute it. Right now it just has a, you put the filename in the channel you wanna use and then a settings collection. And all the channels are documented to show what the settings are. Like for Imager, which is one of the examples I used, you can put in your secret client ID and then that's all you really need for that one to Xfill. So, cool. And that's what the tool, the module looks like. It's really hard to read on the screen. So they told me this was a four by three projector. But apparently I have tons more space. But if you can see that at all, all this stuff is just metadata, saying what the hell is this thing, how big can my chunks be and, you know, what does it do? And the rest of it is just send and receive. And all you have to do is write send and receive and it'll work. So this is the URL that the code will be available at as soon as I stop being sick and my family stops like almost dying. You'll be able to download the code at that URL. Obviously it's not available today. But closing stuff, stuff I wanna do. Additional modules, obviously, because the demo is not done, it should work. Executable payload generation with PyInstaller. So doing kind of an MSF Venom thing. Do an MSF Post Module, long range hardware. Get with the Cloakify guy and shove that stuff into my code and customize timing. All these people are super awesome because they've contributed in some way to me actually getting this done. Slash me being here. Vericode especially. And besides, NDC 407 and FamLab and all those cool people. And thank you. That's kind of the talk.