Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

First stage: choosing a proper USB device

Here you will find our curated list of recommended hardware:

  • miniature pen drives, looking like wireless mouse receiver
  • external USB SSD drives - much faster and more durable, but also bigger and much easier to spot
  • external NVMe/Thunderbolt drives - fastest, but limited only to computers that support them (eg. Apple)

Start with choosing (and buying) the most adequate device to your individual requirements.

Second stage: installing Kali Linux

  1. Download Kali Linux Live image for your chosen hardware architecture from here.

  2. Write the downloaded image to your chosen USB device (at least 8GB required just for testing, but 240GB-2TB recommended for "production" usage):

    dd if=kali-linux-2021.1-live-amd64.iso of=/dev/sdb status=progress

    where /dev/sdb is the device identifier of the drive, to which you write the image (remember that these identifiers are assigned randomly after each computer boot).

  3. Create the third partition on that USB device (preferably LUKS-encrypted):

    • if you use Windows, boot into Kali Linux
    • if you use Linux, you can do it straight from your computer

    The exact instructions can be found here.

Security advice

We suggest to setup stronger encryption parameters, to avoid brute forcing your chosen password:

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --debug --verify-passphrase luksFormat /dev/sdb3

Third stage: installing and configuring Drive Badger

Basic installation

Boot into your new Kali Linux (in persistent mode), make sure that you have working Internet connection, open the terminal, execute sudo su - to become root, and execute:

apt update
apt install git
git clone /opt/drivebadger
git clone /opt/drivebadger/external/compat
git clone /opt/drivebadger/external/ext-veracrypt

Configuring and installing functional extensions

The above set of 3 repositories is a bare minimum - enough to run the exfiltration process, but not enough to achieve optimal performance, handle encrypted drives or network shares. Now you need to clone all chosen configuration repositories and hooks into respectively /opt/drivebadger/config and /opt/drivebadger/hooks directories:

Make sure that you cloned everything that you want to use (see our reference install script as checklist). So far, you can safely reboot Kali Linux, how many times you need.

Drive encryption keys

Drive Badger supports 4 most important drive encryption methods: Apple FileVault, Bitlocker, LUKS and VeraCrypt. Of course, decryption is possible only when you obtained and installed encryption keys (either assigned to drives, or not).

For security reasons, in most cases you should keep your encryption keys in a private repository. See how to install private repositories.

Filesystem injectors

While Drive Badger's main functionality is data exfiltration, it is also able to make changes to the copied filesystem: create files or directories, write data into them, rename, delete etc. This feature is called filesystem injection and is done by "injectors". See injectors-playground repository for example scripts.

After you create your own injector repositories, you need to clone them into /opt/drivebadger/injectors directory.

Arming the device

Open the terminal, execute sudo su - to become root, and execute:

cd /opt/drivebadger/setup/2020.3 && ./

This will:

  • "arm" your USB device by setting /etc/rc.drivebadger script to be run on each boot (even on your own computer, so don't execute this prematurely)
  • enable ssh server to also run automatically after each boot (default password is kali)
  • disable graphical mode (operator still can start it manually by running startx after boot)

If you don't want to disable graphical mode, execute in the same terminal:

systemctl set-default

Example install script

You can find the example install script here - just remember, that it's an example, not a complete script.

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.