Menu

Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

contact@drivebadger.com

Each partition recognized by Drive Badger during attack, between mount and rsync, is passed through series of hooks. Hooks are functional plugins, cloned into /opt/drivebadger/hooks directory, processing given filesystem in some more intelligent way, than just copying all data.

Available hooks

  • hook-fstab - look for /etc/fstab files, extract all statically defined smbfs/cifs and nfs shares and exfiltrate them
  • hook-wcxftp - look for Total Commander's wcx_ftp.ini files with saved FTP passwords, extract and decode passwords, and exfiltrate FTP accounts
  • hook-virtual - look for VMware/Hyper-V virtual drive images and exfiltrate them recursively

Writing new hooks

You can implement your own hooks. Each hook repository must contain hook.sh script, accepting 2 arguments:

  • source path (where the partition is mounted)
  • target root directory (where the exfiltrated data should be written)