Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

Why Drive Badger uses Kali Linux?

To leverage:

  • existing boot infrastructure (any minimal Linux would be ok, and in fact we also want to release a separate standalone version, that could run fully headless and keyboardless, eg. to exfiltrate NAS devices)
  • existing Debian systemd/udevd infrastructure (including udevd ruleset) – to properly detect hardware and handle network configuration
  • upstream updates and security fixes
  • persistent encrypted partitions functionality, deeply integrated with boot infrastructure – so the exfiltrated data are inaccessible to any 3rd party in case you lose the drive, or eg. it is forcibly taken from you after search

Should I choose 32-bit or 64-bit version of Kali Linux?

For "production" use (against real targets), you should always have 3 drives, with all versions:

  • 32-bit version - this version can be run on both 32-bit, and most 64-bit computers, so it is more universal (however since 2020, with each month there are more and more new UEFI-based computers and servers, that can't boot 32-bit images - eg. Dell PowerEdge T-series models made at least since 2020)
  • 64-bit version - this version will run on any 64-bit computer or server, including the newest ones, but won't run on 32-bit hardware at all
  • 64-bit ARM version for Apple M1 hardware (2020+ models)

Which USB drive model should I choose, and why?

See recommended hardware, this is our curated list of 3 pen drive models, and 6 external SSD drive models, with explanations, when should you choose which model.

Why Drive Badger doesn't wait for full network configuration?

Systemd configuration for rc-drivebadger service requires only drives/filesystems related configuration, and running rsyslog.

It doesn't wait for DHCP or full network configuration, which can result in identifying computers only after model name, without IP address - however this behavior is intentional. Instead it sleeps for 15 seconds (+additional 20 in case if graphical mode is running) to give time to the network stack, to configure itself and get the IP address from DHCP.

Such behavior prevents waiting very long, possibly indefinitely, in case of network problems (eg. Wifi-only - remember that Kali doesn't have your Wifi password).

If the configuration won't succeed:

  • no cable LAN connection, no previously configured Wi-fi network within range
  • available Wi-fi network(s) require 802.1X authentication
  • network (or DHCP itself) is too slow, there is packet loss or other problems

then Drive Badger will simply omit the IP address in computer ID used to identify exfiltrated computers.

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.