antinfinait Posted March 20, 2019 Share Posted March 20, 2019 HELLO Hak5 COMMUNITY! This is my first thread. I have written a program that exfiltrates files over audio waves. Technical information: ======================= Protocol : AFSK1200 x25 packet radio Fire-And-Forget mod Baud rate: 1200bps stable(0.15 KBytes/second, 10 kilobytes/minute) Language : C# .NET 3.5 ======================= I have written this for the [Payload] segment of Hak5. As i am too poor to buy a rubber ducky[not kidding] ,it would be cool if someone would make a rubber ducky payload out of this. I am dreaming of a rubber ducky... This program takes as input a file, [binary data of any kind] and convert it to a .wav file, that would be then played, and the audio output would be recorded with a smartphone.Then, it takes a .wav input and converts it to a file [only supports utf8 ATM, if you plan on decoding other binary data, use minimodem or one of the tens of other FSK decoders out there]. THIS IS JUST A PoC script ! It proves that the concept of stealing files over audio is possible! Source Code Download for pre-build binary [merged and not obfuscated] : HERE Obfuscated assembly : HERE Hope you like it! 1 Quote Link to comment Share on other sites More sharing options...
antinfinait Posted March 20, 2019 Author Share Posted March 20, 2019 Forgot to include virus scan for the bins: For the obfuscated assembly [0/26 CLEAN] For the non-obfuscated assembly [0/26 still FUD!] Quote Link to comment Share on other sites More sharing options...
icarus255 Posted March 26, 2019 Share Posted March 26, 2019 Pretty sweet idea dude. I like it but do you have some instructions or a readme file for noobs like myself to follow? What are those squeaky kitten binaries? I would rather compile from source if you get what I'm saying 😉 1 Quote Link to comment Share on other sites More sharing options...
antinfinait Posted March 26, 2019 Author Share Posted March 26, 2019 3 hours ago, icarus255 said: Pretty sweet idea dude. I like it but do you have some instructions or a readme file for noobs like myself to follow? What are those squeaky kitten binaries? I would rather compile from source if you get what I'm saying 😉 Thanks!! So first, the binaries are NOT infected. You can decompile them to see that(i recommended grabbing dnSpy from GitHub). Or, if you want to compile it yourself, you need Visual Studio with visual C#. On 3/20/2019 at 6:57 PM, antinfinait said: Forgot to include virus scan for the bins: For the obfuscated assembly [0/26 CLEAN] For the non-obfuscated assembly [0/26 still FUD!] These are the scans. Second, i made this program so it is very easy to use. Once in the main menu, you can use command 'a' to go to the exfiltration menu, and 'b' to decode. a- exfiltration - very easy to use. It will ask you for the file path, and then it will ask you for the filename of the output .wav file. The output is the data modulated into audio with FSK1200 (frequency shift keying, at a speed of 1200 bits per second). In fact, it is derived from AX. 25. You play the file and record the audio with an external device. Then you can decode it. b-decoding - straightforward as well, but it is [Work In Progress] . If the community finds it useful, i will make it much better. {the thing is that it interprets only UTF8 atm. So binary that is not UTF8 is left as a hex dump. The first chars are from the callerid(from AX. 25.I Will remove them in the future, you can delete them for now.)} I recommend compressing your files with LZMA if they are bigger. If someone wants to use a rubber-ducky with it, i can write a loader(1-2 kb) that has the main bin as a very compressed resource and then decompresses it and loads it into memory directly. SqueakyKitten is the only name i came up with, and a name suggestion would be greatly appreciated. Thanks for your reply. Have a nice day! ☺️ Quote Link to comment Share on other sites More sharing options...
icarus255 Posted March 26, 2019 Share Posted March 26, 2019 (edited) I don't really know much about encoding audio and audio formats but it sounds pretty interesting so I'll check it out this weekend. There are some practical limitations though. At 0.15KB/s you aren't going to be ex-filtrating much but it's a sneaky way to exfil once you encode the data. 43 minutes ago, antinfinait said: If someone wants to use a rubber-ducky with it, i can write a loader(1-2 kb) that has the main bin as a very compressed resource and then decompresses it and loads it into memory directly. What will this overcome? If you can execute the loader then you can execute the main bin or did I miss something? 43 minutes ago, antinfinait said: SqueakyKitten is the only name i came up with, and a name suggestion would be greatly appreciated. Yea you can call it the SneakyKitten 😉 Nah I'm jk. I was only asking what the sneaky kitten bins were because there was no description on github. Anyway SqueakyKitten has a better ring to it. Edited March 26, 2019 by icarus255 Quote Link to comment Share on other sites More sharing options...
antinfinait Posted March 26, 2019 Author Share Posted March 26, 2019 8 minutes ago, icarus255 said: I don't really know much about encoding audio and audio formats but it sounds pretty interesting so I'll check it out this weekend. There are some practical limitations though. At 0.15KB/s you aren't going to be ex-filtrating much but it's a sneaky way to exfil once you encode the data. What will this overcome? If you can execute the loader then you can execute the main bin or did I miss something? Yea you can call it the SneakyKitten 😉 Nah I'm jk. I was only asking what the sneaky kitten bins were because there was no description on github. Anyway SqueakyKitten has a better ring to it. The ducky would directly type a powershell that would have a variable[base64 string, the loader]. Then it would write it. It will be faster to type because of compression, and the loader would run it directly in memory,so no file is dropped from a unsigned executable process file, that could trigger alarms. Quote Link to comment Share on other sites More sharing options...
antinfinait Posted March 26, 2019 Author Share Posted March 26, 2019 (edited) I did a short static test for you.There also is an upcoming video to test the noise tolerance, recording it with my phone from farther back. LINK Edited March 26, 2019 by antinfinait Quote Link to comment Share on other sites More sharing options...
Alyssia Posted February 8, 2020 Share Posted February 8, 2020 heyy great idea dude ! but i do need some inistructions to follow cuz i im new in that Kodi Lucky Patcher nox Quote Link to comment Share on other sites More sharing options...
CYBERING Posted March 2, 2020 Share Posted March 2, 2020 I was going to laugh if it was just text to speech then speech to text 🙂 What could be a cool line of research would be doing adversarial training against a speech recognition neural net, find some inaudible inputs that it accepts as valid, then using those. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.