Security and Technology

Cloakify – Data Exfiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Evade AV Detection

Cloakify Toolset – Data Exfiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Defeat Data Whitelisting Controls; Evade AV Detection. Text-based steganography usings lists. Convert any file type (e.g. executables, Office, Zip, images) into a list of everyday strings. Very simple tools, powerful concept, limited only by your imagination.

Author

Joe Gervais (TryCatchHCF)

Why

DLP systems, MLS devices, and SecOps analysts know what data to look for:

So transform that data into something they’re not looking for:

Description

Python scripts to cloak / uncloak any file type using list-based ciphers (text-based steganography). Allows you to transfer data across a secure network’s perimeter without triggering alerts, defeating data whitelisting controls, and derailing analyst’s review via social engineering attacks against their workflows. As a bonus, cloaked files defeat signature-based malware detection tools.

Cloakify first Base64-encodes the payload, then applies a cipher to generate a list of strings that encodes the Base64 payload. Once exfiltrated, use Decloakify with the same cipher to decode the payload.

Not a secure encryption scheme (vulnerable to frequency analysis attacks, use ‘noiseTools’ scripts to add entropy). Encrypt data separately prior to processing to keep secure (if needed).

Very small, simple, clean, portable – written in Python. Can quickly type into a target’s local shell session if needed.

Use py2exe if Windows target lacks Python. ( http://www.py2exe.org/ )

Prepackaged ciphers include lists of:

Desserts in English, Arabic, Thai, Russian, Hindi, Chinese, Persian, and Muppet (Swedish Chef)

IPv4 Addresses of Popular Websites

GeoCoords World Capitals (Lat/Lon)

PokemonGo Monsters

MD5 Password Hashes

Emoji

World Cup Teams

Belgian Beers

Ski Resorts

World Beaches

Amphibians (scientific names)

GeoCaching Coordinates (w/ Site Names)

Star Trek characters

evadeAV (smallest cipher space – x3 payload size – purely to evade AV detection)

Prepackaged scripts for adding noise / entropy to your cloaked payloads:

prependID.py: Adds a randomized ID tag to front of each line

prependLatLonCoords.py: Adds randomized LatLong coordinates to front of each line

prependTimestamps.py: Adds timestamps (log file style) to front of each line

See script comments for details on how to tailor the output for your own needs

To create your own cipher

Generate a list of at least 66 unique words / phrases / symbols (Unicode accepted)

Randomize the list order

Remove all duplicate entries and all blank lines

Pass the new file as the cipher argument to cloakify / decloakify

Cloakify Example

Decloakify Example

Adding Entropy
Add noise to degrade frequency analysis attacks against your cloaked payloads. Here we use the ‘pokemonGo’ cipher, then use the ‘prependLatLonCoords.py’ script to generate random geocoords in a 10×10 mile grid. (Strip noise from file before decloaking.)

Sample Cipher Gallery

Download Cloakify http://ift.tt/2cKBe2i http://ift.tt/2aM8QhC

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s