Low-tech bypassing DLP software for fun and profit

23 Nov, 2022

Sometimes, you want to share files to and from your work computer, but your company says you can't (via a "very strict" set of security policies and annoying bloatware that inevitably cause much more trouble than they're worth). So, being the bold soul that you are, you decided you want to share files, anyway, because dammit, you know how to do your job, and you refuse to be babysat. Good things.

This whole guide is fairly basic--if you've gotten over the common fear of CLIs, you should be able to follow this pretty easily. If you're a god at hacking, then you can just write your own networking stack from scratch in Visual Basic and leave me alone, because this isn't for you.

Prerequisites

Other than your work computer, you'll need some kind of computer that exists outside your work network. This is the one to which we'll be transferring the files. You can use a VPS or your home machine--neither matters, but you'll need to be able to access it while you use your work computer.

Worst comes to worst, download some SSH client onto your smartphone and buy a cheap $5/mo VPS off of Digital Ocean. That'll be enough.

Things that will break this method:

• Only whitelisted websites are allowed through your network (or you don't have access to the external internet at all)
• Only whitelisted executables can be run on your machine

The first one can be overcome if that computer shares files at all with other computers that can access the WWW, especially because the way that we're doing it will make the original file unrecognizable. With the second one, you actually are potentially not totally toast, according to some cursory web searches, but you're on your own.

Okay cool show me how

Everything is done through Git Bash for Windows, Portable Edition. You must download this program to proceed. Here are a possible few problems:

• "I cannot download *.exe files off the internet" -- then host it on your own server and rename it with an innocuous extension. Or just compress as a tar.gz, since that way Windows Explorer will never have to look at it (or know what it is).
• "I cannot run *.exe files that are not installed by my system admin" -- remove the *.exe extension and just call it from CMD or PowerShell.

Download the desired file. Open a shell into the directory where your downloaded file lives. We'll then encrypt the contents of the file into a new, binary file with this command:

cat desired_file.txt | gpg -c -o innocuous.jpg

It'll prompt you to enter a passphrase, but now you should have a file called innocuous.jpg (note: not actually a JPEG file, actually feel free to use any non-suspicious extension you want). You might also want to set your output to somewhere like %HOME%/AppData/Roaming% or somewhere that scanners don't usually look too closely.

Download wormhole-william from GitHub releases (same advice as with Git Bash applies if *.exe files give you trouble). Put it on your PATH if you want. You'll also want to have it on your target machine. Check out how easy this is; from your host machine, run:

wormhole-william send innocuous.jpg

This should print out a code like:

On the other computer, please run: wormhole receive (or wormhole-william recv)
Wormhole code is: 1-unicorn-clamshell

So we're going to remember that code, and on the target machine, type:

wormhole-william recv 1-unicorn-clamshell

Wait for the transfer bar to fill up and bam, you're done. If this didn't work, it might be because magic-wormhole.io, the website that's used for PAKE authentication (note: it does not actually transfer the file itself, so no man-in-the-middle is possible) is blocked. You can solve this by setting up your own Wormhole relay or using an alternate one.

Worst comes to worst, you could buy your own safe-sounding *.com off of Namecheap and run the relay from there before anybody's the wiser. But most IT departments haven't heard of magic-wormhole, so it's likely they haven't blocked to domain.

Why this works

We avoided all the things that "Insider Threat Protection Software" usually looks for:

• We never touched a file explorer (except to download our file)
• We never explicitly copied or moved the file (just through STDIN, or raw memory)
• We encrypted the new file with our own password, making it unparsable by watchers
• We never touched a web browser for our file upload
• We never even technically performed an HTTP file transfer

So, what does this look like to file system watchers and internal threat protection?

• We downloaded a sensitive file
• We created a new binary file from memory. Looks like: any sort of temporary or cache file, either from MS Word or maybe browsing history from Chrome
• We sent a tiny little request with no sensitive data to magic-wormhole.io (or the relay you set up on your own *.com). Looks like: visiting a normal, safe website.
• Then we used WebSockets to interact with some web content. Looks like: watching a YouTube video or participating in Teams chat. Lots of sites use WebSockets.

The easiest way this could fail

Windows SmartScreen might catch wormhole-william.exe as an "untrusted", and it might be possible for a sysadmin to disable anything from running that isn't SmartScreen verified. However, I've never seen SmartScreen do anything other than ask for the user's permission, so just hit "Run Anyway" and pray to God that your sysadmin doesn't check the SmartScreen logs. Don't worry--they probably don't.

Oh, but don't worry, there are PowerShell scripts out there that bypass SmartScreen, like Invoke-Obfuscation.

So it seems pretty easy to just trick SmartScreen into thinking you're not running an unsigned program, so just use the above or follow one of the many methods listed on the wider internet by searching "bypass SmartScreen".

Disclaimer: I haven't used any SmartScreen bypassers, and cannot vouch for them, but hey, we're all here to have fun, and I trust public and well-starred GitHub repos more than I trust proprietary corpo-ware.