[unDLP] First release {1.0}

Hi fellas,

The time is came to publish the first release of unDLP. This journey was scattered of obstacles coming from the old and venerated Perl gods ! But that’s not all, hold on, the famous TLS protocol made me sweated more than once … bloody block size limitation …

Well, before I get into the main topic, here is a small reminder about the reasons that pushed me to develop unDLP.

As you probably already know, industrial spying cost millions of dollars to companies every year through data exfiltration, data stealing, etc. In order to protect themselves against this bane, companies invested into DLP technologies, allowing to protect sensitive information from hackers and malicious employees. A few existing solutions allow bypassing such security measures. However, none of them are flawless, discrete, or efficient enough to guarantee success. That is why unDLP was born.

To resume in a few words, unDLP aim to discreetly exfiltrate information via multiple covert channel. At the moment, only one has been implemented, HTTPS.

unDLP follow a standard client / server architecture, providing various types of features. Let’s take a look at them.

Exfiltration methods

At the present time, only the HTTPS exfiltration method has been implemented. This engine is straightforward, the client will successively send POST requests, containing the data to exfiltrate, to the server. On the other side, the server will bufferize the incoming information till the transfer is done then it will save them on the file system.

By the same token, the protocol created for the file transfer allows the server to handle multiple files at the same time, ensuring that no collision occurs during the sending.

Multi-upload

The client provides the possibility to specify multiple files to send. However, due to the fact that the multi-threading is discouraged with Perl and that forking doesn’t seem to work properly, the files are dequeued when the previous job is done. I will try to find a solution in order to affords a true multi-upload system but at least, for now, we don’t have to restart the client for each file … It’s better than nothing

Transfer speed

The transfer speed is adjustable in order to avoid detection. Indeed, it could be suspect to see 1 POST request by second targeted the same domain name during 1 or 2 minutes !

Block size

For the same purpose, unDLP provides the possibility to change the size of the data blocks transferred. However, in view of the TLS limitation, it is not possible to increase this parameter above a given ceiling.

Encryption

Even if data encryption is not necessary when using HTTPS, this functionality has been implemented in prevision of the upcoming exfiltration methods.

At first, I implemented an asymmetric encryption but I quickly switched, due to performance issues, to a symmetric scheme. For the same purpose, I choose to use the AES with CTR mode. It is not the safest way to perform encryption nevertheless, it is enough to counter MITM monitoring.

Note: I discourage to use encryption when using the HTTPS exfiltration method due to TLS block size limitation that force to reduce the chunks of data, which terribly affect the transfer speed and could take ages to handle a large file.

Usage

Client

usage: unDLP.pl -f [FILE, ...] -d DESTINATION -m [HTTPS] [--e PASSWORD] [--size SIZE] [--delay DELAY] [--help|h]

     -f: File to transfer.
     -d: Destination.
     -m: Exfiltration method.
     --e: Set the encryption password.
     --size: Set the transfer size.
     --delay: Set the transfer speed (in second).
     --help|h: Display the helper.

Server

usage: server.pl [--e PASSWORD] [--help|h]

     --e: Set the decryption password.
     --help|h: Display the helper.

Note: It is important to note that even if the server is started with a decryption password, it is still possible to handle raw data.

Demo

https://0x0.st/yLG.mp4

Todo

• Improve the multi-upload system
• DNS exfiltration
• RTCP exfiltration
• [and other type of exfiltration]

Contribution

Pull requests for new features, bug fixes, and suggestions are welcome !

P.S: keep in mind to respect the Perl::Critic::Freenode policies.

I hope that you enjoyed this article.

Best,
Nitrax

AWESOME! I’m glad that it’s in working order. I can already see a ton of uses this could have. Now it’s just time to wait for the updates. :3

Nice to heard that ! Btw, if you guys have some idea about unDLP regarding the possible exfiltration methods, etc, don’t hesitate to let me know !

Have you seen this series on a covert channel in TCP? It’s not that super fast but extremely interesting, though…

Part I, II and III

Nop ! I will check this out. Anyway, I already planned to add this covert channel ASAP

Hello there!
I am the author of those posts.
Thanks a lot for mentioning them!

unDLP looks quite promising! Added to the things I follow.

Hey, you’re writing fantastic articles! I can higly recommmend everyone to check your blog out .

Keep it up; I’m checking everyday for new posts!

Hey, DLP is a bitch. Smash it!
Keep in mind though that corporal environments have HTTPS proxies that decode SSL and serve as MiTM, passing all traffic from HTTP proxing (and log several request parameters, even POST sometimes).

Logs like those can serve as evidence that you did something (not clearly leakage, but) bogus. Sometime this evidence is enough if leaked documents are found torrenting around.
You 'd better get some Domain Name in the Host Header (to fool the proxy that this is a website visit), and use stego in the 7 layer fields that do not get logged frequently in most configurations (POST parameter password fields, OPTIONS, HEAD, Etags, etc… ), or make data layer look innocent.

Thanks for your input. I’m currently testing unDLP against several types of firewall, IDS, etc. I must admit that it works pretty nice I will keep you all updated when those tests will be done !

@operatorequals congrats for the great blog. I found them some weeks ago and really enjoyed reading them.

Good you passed by our community!

This is really cool, I’m loving the fancy CLI progress bar

Jokes aside, I think this is a really dope concept, (and reality).

What I love about these small yet very effective projects is that detecting these in the field is very difficult since it’s a new tool, new concept and there isn’t much call to defend against things like this because it’s so new.