Jump to content

File Exfiltration via SOUND WAVES


Recommended Posts

HELLO Hak5 COMMUNITY!

This is my first thread.

I have written a program that exfiltrates files over audio waves.

Technical information:

=======================

Protocol : AFSK1200 x25 packet radio Fire-And-Forget mod

Baud rate: 1200bps stable(0.15 KBytes/second, 10 kilobytes/minute)

Language : C# .NET 3.5

=======================

I have written this for the [Payload] segment of Hak5. As i am too poor to buy a rubber ducky[not kidding] ,it would be cool if someone would make a rubber ducky payload out of this. I am dreaming of a rubber ducky...

This program takes as input a file, [binary data of any kind] and convert it to a .wav file, that would be then played, and the audio output would be recorded with a smartphone.Then, it takes a .wav input and converts it to a file [only supports utf8 ATM, if you plan on decoding other binary data, use minimodem or one of the tens of other FSK decoders out there].

THIS IS JUST A PoC script ! It proves that the concept of stealing files over audio is possible!

Source Code

Download for pre-build binary [merged and not obfuscated]  HERE

Obfuscated assembly HERE

Hope you like it!

 

 

  • Like 1
Link to post
Share on other sites
3 hours ago, icarus255 said:

Pretty sweet idea dude. I like it but do you have some instructions or a readme file for noobs like myself to follow? What are those squeaky kitten binaries? I would rather compile from source if you get what I'm saying 😉

Thanks!! 

So first, the binaries are NOT infected. You can decompile them to see that(i recommended grabbing dnSpy from GitHub).  Or, if you want to compile it yourself, you need Visual Studio with visual C#. 

On 3/20/2019 at 6:57 PM, antinfinait said:

These are the scans. 

 

Second, i made this program so it is very easy to use. Once in the main menu, you can use command 'a' to go to the exfiltration menu, and 'b' to decode. 

a- exfiltration - very easy to use. It will ask you for the file path, and then it will ask you for the filename of the output   .wav file. 

The output is the data modulated into audio with FSK1200 (frequency shift keying, at a speed of 1200 bits per second). In fact, it is derived from AX. 25.

You play the file and record the audio with an external device. Then you can decode it. 

b-decoding - straightforward as well, but it is [Work In Progress] . If the community finds it useful, i will make it much better. 

{the thing is that it interprets only UTF8 atm. So binary that is not UTF8 is left as a hex dump. The first chars are from the callerid(from AX. 25.I Will remove them in the future, you can delete them for now.)} 

I recommend compressing your files with LZMA if they are bigger. 

If someone wants to use a rubber-ducky with it, i can write a loader(1-2 kb) that has the main bin as a very compressed resource and then decompresses it and loads it into memory directly. 

 

SqueakyKitten is the only name i came up with, and a name suggestion would be greatly appreciated. 

 

Thanks for your reply. Have a nice day! ☺️

Link to post
Share on other sites

I don't really know much about encoding audio and audio formats but it sounds pretty interesting so I'll check it out this weekend. There are some practical limitations though. At 0.15KB/s you aren't going to be ex-filtrating much but it's a sneaky way to exfil once you encode the data.

43 minutes ago, antinfinait said:

If someone wants to use a rubber-ducky with it, i can write a loader(1-2 kb) that has the main bin as a very compressed resource and then decompresses it and loads it into memory directly. 

What will this overcome? If you can execute the loader then you can execute the main bin or did I miss something?

43 minutes ago, antinfinait said:

SqueakyKitten is the only name i came up with, and a name suggestion would be greatly appreciated. 

Yea you can call it the SneakyKitten 😉 Nah I'm jk. I was only asking what the sneaky kitten bins were because there was no description on github. Anyway SqueakyKitten has a better ring to it.

Edited by icarus255
Link to post
Share on other sites
8 minutes ago, icarus255 said:

I don't really know much about encoding audio and audio formats but it sounds pretty interesting so I'll check it out this weekend. There are some practical limitations though. At 0.15KB/s you aren't going to be ex-filtrating much but it's a sneaky way to exfil once you encode the data.

What will this overcome? If you can execute the loader then you can execute the main bin or did I miss something?

Yea you can call it the SneakyKitten 😉 Nah I'm jk. I was only asking what the sneaky kitten bins were because there was no description on github. Anyway SqueakyKitten has a better ring to it.

The ducky would directly type a powershell that would have a variable[base64 string, the loader]. 

Then it would write it. 

It will be faster to type because of compression, and the loader would run it directly in memory,so no file is dropped from a unsigned executable process file, that could trigger alarms. 

Link to post
Share on other sites
  • 10 months later...
  • 4 weeks later...

I was going to laugh if it was just text to speech then speech to text 🙂

What could be a cool line of research would be doing adversarial training against a speech recognition neural net, find some inaudible inputs that it accepts as valid, then using those.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...