Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

Update to the latest version of Kali Linux

Mobile Badger

  • try to unify event logging between Drive Badger and Mobile Badger

Support for disk encryption schemes

  • HFS+ (older Mac OS)

Support for more disk partition schemes

  • FreeBSD
  • possibly other *BSD
  • AIX

Support for RAID and network filesystems

  • is it possible to assemble and exfiltrate filesystems spanning multiple drives/hosts, based on discovered data?
  • RAID 5/6/...
  • ZFS/btrfs, possibly with encryption support
  • MooseFS, Ceph, GlusterFS etc.

Support for 802.1X

  • look for 802.1X certificate files and passwords
  • try to connect to protected networks
  • postpone executing all other hooks, until all drives are processed

Scripts for half-automated imaging of development versions

  • deploy test server
  • research: how to reliably recognize multiple SSD drives (same models!) connected to test server - by serial or what?
  • script to translate given serial or label to currently assigned device id
  • actual imaging script: dd image (if newer), create 3rd partition (if required), git checkout/pull repositories, chroot, minimal-provisioning, setup

New hooks (if described functionality is possible)

existing hook-wcxftp

  • rewrite Python 2.x-based code to Python 3

ssh keys

  • scan for ~/.ssh/id_rsa or other ssh private keys (parse ~/.ssh/config)
  • parse .bash_history and .zsh_history for connections using keys
  • try to find frameworks like Ansible and parse their configuration
  • use preconfigured keys from repository
  • finally, try to exfiltrate other machines via ssh:


  • look for user passwords saved in browsers
  • look for ftp/sftp passwords from other programs
  • look for remote MySQL/Postgres/Mongo/other credentials, to "backup" them similarly to sf-backup


  • look for Windows password files
  • is it possible to extract SMB share credentials from Windows?
    • how about AD environment?
    • how about standalone Windows + Samba server?
    • either mapped to drive letter or not, but still available to open without password
    • mapped to drive letter using separate credentials

Fixes for known problems

  • properly recognize drive serial numbers behind RAID controllers

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.