reddit hackernews mail facebook facebook linkedin
PyExfil

PyExfil

Set as many exfiltration, techniques that CAN be used to bypass various.

The purpose of PyExfil is to set as many exfiltration, and now also communication, techniques that CAN be used by various threat actors/malware around to bypass various detection and mitigation tools and techniques.

Putting it simply, it's meant to be used as a testing tool rather than an actual Red Teaming tool. Although most techniques and methods should be easily ported and compiled to various operating systems, some stable some experimental, the transmission mechanism should be stable on all techniques. Clone it, deploy on a node in your organization and see which systems can catch which techniques.

Network:
- DNS query
- HTTP Cookie
- ICMP (8)
- NTP Body
- BGP Open
- HTTPS Replace Certificate
- QUIC - No Certificate
- Slack Exfiltration
- POP3 Authentication (as password) - Idea thanks to Itzik Kotler
- FTP MKDIR - Idea thanks to Itzik Kotler
- Source IP-based Exfiltration
- HTTP Response
- IMAP_Draft

Communication:
- NTP Request
- DropBox LSP (Broadcast or Unicast)
- DNS over TLS
- ARP Broadcast
- JetDirect
- GQUIC - Google Quick UDP Internet Connections (Client Hello)
- MDNS Query - Can be used as broadcast.
- AllJoyn. Name Service Protocol (IoT discovery) Version 0 ISAT.
- PacketSize. Using size of packet rather than actual data.
- UDP-Source-Port Using the source port in UDP as a transmission medium.
- CertExchange Leveraging certificate exchange function for short bursts of communication.
- DNSQ Leveraging DNS Queries for communication.

Physical:
- Audio - No listener.
- QR Codes
- WiFi - On Payload
- 3.5mm Jack

Steganography:
- Binary Offset
- Video Transcript to Dictionary
- Braille Text Document
- PNG Transparency
- ZIPCeption
- DataMatrix over LSB