Cloakify Toolset - Data Exfiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Evade AV Detection. Text-based steganography usings lists. Very simple tools, powerful concept, limited only by your imagination.
Joe Gervais (TryCatchHCF)
DLP systems, MLS devices, and SecOps analysts know what data to look for: So transform that data into something they're not looking for:
Python scripts to cloak / uncloak payloads using list-based ciphers (text-based steganography). Allows you to transfer data across a secure network’s perimeter without triggering alerts, defeating data whitelisting controls, and derailing analyst’s review via social engineering attacks against their workflows. As a bonus, cloaked files defeat signature-based malware detection tools.
Cloakify first Base64-encodes the payload, then applies a cipher to generate a list of strings that encodes the Base64 payload. Once exfiltrated, use Decloakify with the same cipher to decode the payload.
Not a secure encryption scheme (vulnerable to frequency analysis attacks). Encrypt data separately prior to processing to keep secure (if needed).
Very small, simple, clean, portable - written in Python. Can quickly type into a target’s local shell session if needed.
Use py2exe if Windows target lacks Python. (http://www.py2exe.org/)
Prepackaged ciphers include lists of:
- Desserts in English, Arabic, Thai, Russian, Hindi, Chinese, Persian, and Muppet (Swedish Chef)
- IPv4 Addresses of Popular Websites
- GeoCoords World Capitals (Lat/Lon)
- MD5 Password Hashes
- Emoji
- Amphibians (scientific names)
- GeoCaching Coordinates (w/ Site Names)
- Star Trek characters
- evadeAV (smallest cipher space - x3 payload size - purely to evade AV detection)
- Generate a list of at least 66 unique words / phrases / symbols (Unicode accepted)
- Randomize the list order
- Remove all duplicate entries and all blank lines
Pass the new file as the cipher argument to cloakify / decloakify
#Cloakify Example
$ cat payload.txt The FBI just filed a motion to delay Tuesday's hearing in the San Bernardino iPhone case, claiming that an "outside party" may be able to help it break into the phone without Apple's help. The motion comes after weeks of escalation tension in the case with Apple, the FBI, and other stakeholders arguing the case in public before it reached courts. It's not clear who is helping the FBI or what the new method entails, but it may not be coming from the NSA, despite speculation that the intelligence agency has the ability up its sleeve; today's filing suggests that the help is coming from "outside the US government." $ ./cloakify.py payload.txt ciphers/desserts.ciph > cloaked.txt $ head cloaked.txt streusel biscuits flower marionberry puffs buttermilk terrine eggs muffins snickerdoodles $
#Decloakify Example
$ head cloaked.txt streusel biscuits flower marionberry puffs buttermilk terrine eggs muffins snickerdoodles $ ./decloakify.py cloaked.txt ciphers/desserts.ciph The FBI just filed a motion to delay Tuesday's hearing in the San Bernardino iPhone case, claiming that an "outside party" may be able to help it break into the phone without Apple's help. The motion comes after weeks of escalation tension in the case with Apple, the FBI, and other stakeholders arguing the case in public before it reached courts. It's not clear who is helping the FBI or what the new method entails, but it may not be coming from the NSA, despite speculation that the intelligence agency has the ability up its sleeve; today's filing suggests that the help is coming from "outside the US government." $