Skip to content
Get your APT on using social media as a tool for data exfiltration.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Using social media as a tool for data exfiltration.



See screep:

  from sneakers import Exfil


  channel = "file"
  encoders = ["b64"]

  dataz = "very secret and private message"

  # think of the exfil object like a tube
  # (or some kind of weird socket)
  t = Exfil(channel, encoders)

  t.set_channel_params({'sending': {'filename': 'test.txt'},
                        'receiving': {'filename': 'test.txt'}})

  t.set_encoder_params('b64', {})
  # this isn't actually necessary, just for demonstration






virtuelenv venv && source venv/bin/activate && pip install -r requirements.txt

There have been some odd issues with dependencies due to the way sneaky-creeper dynamically imports modules (the runtime imports tend to ignore virtualenvs). These have been solved in the past by installing modules globally using pip install --user -r requirements.txt, which is a pretty ugly hack. We're working on a better solution. Go ahead and try the above, and if it fails, open an issue so we can take a look.

API Keys:


Instructions are here:

When the instructions are complete, go to the Twitter API page

Examine your access level for Consumer Key and Access Key and be sure they are set to read and write.

  1. If not set to read and write, change the Consumer Key settings to be read and write
  2. Revoke the Access Token
  3. Wait five minutes
  4. Generate a new access token

It should now mimic the access level of the Consumer Key


Make a Tumblr account and create an app. Then, visit the API console and note down the four strings there; these are your key, secret, token, and token_secret.


Make a Soundcloud account and register an app. Visit your apps console and note the strings for Client ID and for the Client Secret. These are for the ID and secret, while your username and password are for the username and password.


First, set up a Salesforce developer edition account. Define a connected app.Make sure it has full permissions, and don't worry about the callback URL - it won't be used. Once you've successfully defined your app, note down the client_id and client_secret tokens. Lastly, reset your security token and note down its value.

Google Spreadsheets:

Follow the instructions found at You can stop noce you've noted down your client_email and private_key. You then need to create a Google Sheet (in the same account you just authorized!), and note down its title, then share it (using Google's share feature) with the email account you noted down as client_email.


source venv/bin/activate && nosetests will run all the tests. Note that this will leave random junk on some of the channels you have set up - you've been warned! Credentials for these tests should go in sneakers/config/ - there's another readme there to help you out.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.