Jump to content

File Exfiltration via SOUND WAVES

antinfinait

By antinfinait
in Applications & Coding

Recommended Posts

antinfinait Newbie

antinfinait

Posted
Posted

HELLO Hak5 COMMUNITY!

This is my first thread.

I have written a program that exfiltrates files over audio waves.

Technical information:

=======================

Protocol : AFSK1200 x25 packet radio Fire-And-Forget mod

Baud rate: 1200bps stable(0.15 KBytes/second, 10 kilobytes/minute)

Language : C# .NET 3.5

=======================

I have written this for the [Payload] segment of Hak5. As i am too poor to buy a rubber ducky[not kidding] ,it would be cool if someone would make a rubber ducky payload out of this. I am dreaming of a rubber ducky...

This program takes as input a file, [binary data of any kind] and convert it to a .wav file, that would be then played, and the audio output would be recorded with a smartphone.Then, it takes a .wav input and converts it to a file [only supports utf8 ATM, if you plan on decoding other binary data, use minimodem or one of the tens of other FSK decoders out there].

THIS IS JUST A PoC script ! It proves that the concept of stealing files over audio is possible!

Source Code

Download for pre-build binary [merged and not obfuscated]  HERE

Obfuscated assembly HERE

Hope you like it!

 

 

Link to comment
Share on other sites
antinfinait Newbie

antinfinait

Posted
  • Author
Posted
3 hours ago, icarus255 said:

Pretty sweet idea dude. I like it but do you have some instructions or a readme file for noobs like myself to follow? What are those squeaky kitten binaries? I would rather compile from source if you get what I'm saying 😉

Thanks!! 

So first, the binaries are NOT infected. You can decompile them to see that(i recommended grabbing dnSpy from GitHub).  Or, if you want to compile it yourself, you need Visual Studio with visual C#. 

On 3/20/2019 at 6:57 PM, antinfinait said:

Forgot to include virus scan for the bins:

For the obfuscated assembly [0/26 CLEAN]

For the non-obfuscated assembly [0/26 still FUD!]

These are the scans. 

 

Second, i made this program so it is very easy to use. Once in the main menu, you can use command 'a' to go to the exfiltration menu, and 'b' to decode. 

a- exfiltration - very easy to use. It will ask you for the file path, and then it will ask you for the filename of the output   .wav file. 

The output is the data modulated into audio with FSK1200 (frequency shift keying, at a speed of 1200 bits per second). In fact, it is derived from AX. 25.

You play the file and record the audio with an external device. Then you can decode it. 

b-decoding - straightforward as well, but it is [Work In Progress] . If the community finds it useful, i will make it much better. 

{the thing is that it interprets only UTF8 atm. So binary that is not UTF8 is left as a hex dump. The first chars are from the callerid(from AX. 25.I Will remove them in the future, you can delete them for now.)} 

I recommend compressing your files with LZMA if they are bigger. 

If someone wants to use a rubber-ducky with it, i can write a loader(1-2 kb) that has the main bin as a very compressed resource and then decompresses it and loads it into memory directly. 

 

SqueakyKitten is the only name i came up with, and a name suggestion would be greatly appreciated. 

 

Thanks for your reply. Have a nice day! ☺️

Link to comment
Share on other sites
icarus255 Newbie

icarus255

Posted
Posted

I don't really know much about encoding audio and audio formats but it sounds pretty interesting so I'll check it out this weekend. There are some practical limitations though. At 0.15KB/s you aren't going to be ex-filtrating much but it's a sneaky way to exfil once you encode the data.

43 minutes ago, antinfinait said:

If someone wants to use a rubber-ducky with it, i can write a loader(1-2 kb) that has the main bin as a very compressed resource and then decompresses it and loads it into memory directly. 

What will this overcome? If you can execute the loader then you can execute the main bin or did I miss something?

43 minutes ago, antinfinait said:

SqueakyKitten is the only name i came up with, and a name suggestion would be greatly appreciated. 

Yea you can call it the SneakyKitten 😉 Nah I'm jk. I was only asking what the sneaky kitten bins were because there was no description on github. Anyway SqueakyKitten has a better ring to it.

Link to comment
Share on other sites
antinfinait Newbie

antinfinait

Posted
  • Author
Posted
8 minutes ago, icarus255 said:

I don't really know much about encoding audio and audio formats but it sounds pretty interesting so I'll check it out this weekend. There are some practical limitations though. At 0.15KB/s you aren't going to be ex-filtrating much but it's a sneaky way to exfil once you encode the data.

What will this overcome? If you can execute the loader then you can execute the main bin or did I miss something?

Yea you can call it the SneakyKitten 😉 Nah I'm jk. I was only asking what the sneaky kitten bins were because there was no description on github. Anyway SqueakyKitten has a better ring to it.

The ducky would directly type a powershell that would have a variable[base64 string, the loader]. 

Then it would write it. 

It will be faster to type because of compression, and the loader would run it directly in memory,so no file is dropped from a unsigned executable process file, that could trigger alarms. 

Link to comment
Share on other sites
  • 10 months later...
  • 4 weeks later...
CYBERING Newbie

CYBERING

Posted
Posted

I was going to laugh if it was just text to speech then speech to text 🙂

What could be a cool line of research would be doing adversarial training against a speech recognition neural net, find some inaudible inputs that it accepts as valid, then using those.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...