Low-tech bypassing DLP software for fun and profit
Sometimes, you want to share files to and from your work computer, but your company says you can't (via a "very strict" set of security policies and annoying bloatware that inevitably cause much more trouble than they're worth). So, being the bold soul that you are, you decided you want to share files, anyway, because dammit, you know how to do your job, and you refuse to be babysat. Good things.
This whole guide is fairly basic--if you've gotten over the common fear of CLIs, you should be able to follow this pretty easily. If you're a god at hacking, then you can just write your own networking stack from scratch in Visual Basic and leave me alone, because this isn't for you.
Prerequisites
Other than your work computer, you'll need some kind of computer that exists outside your work network. This is the one to which we'll be transferring the files. You can use a VPS or your home machine--neither matters, but you'll need to be able to access it while you use your work computer.
Worst comes to worst, download some SSH client onto your smartphone and buy a cheap $5/mo VPS off of Digital Ocean. That'll be enough.
Things that will break this method:
- Only whitelisted websites are allowed through your network (or you don't have access to the external internet at all)
- Only whitelisted executables can be run on your machine
The first one can be overcome if that computer shares files at all with other computers that can access the WWW, especially because the way that we're doing it will make the original file unrecognizable. With the second one, you actually are potentially not totally toast, according to some cursory web searches, but you're on your own.
Okay cool show me how
Everything is done through Git Bash for Windows, Portable Edition. You must download this program to proceed. Here are a possible few problems:
- "I cannot download
*.exe
files off the internet" -- then host it on your own server and rename it with an innocuous extension. Or just compress as atar.gz
, since that way Windows Explorer will never have to look at it (or know what it is). - "I cannot run
*.exe
files that are not installed by my system admin" -- remove the*.exe
extension and just call it from CMD or PowerShell.
Download the desired file. Open a shell into the directory where your downloaded file lives. We'll then encrypt the contents of the file into a new, binary file with this command:
cat desired_file.txt | gpg -c -o innocuous.jpg
It'll prompt you to enter a passphrase, but now you should have a file called innocuous.jpg
(note: not actually a JPEG file, actually feel free to use any non-suspicious extension you want). You might also want to set your output to somewhere like %HOME%/AppData/Roaming%
or somewhere that scanners don't usually look too closely.
Download wormhole-william
from GitHub releases (same advice as with Git Bash applies if *.exe
files give you trouble). Put it on your PATH if you want. You'll also want to have it on your target machine. Check out how easy this is; from your host machine, run:
wormhole-william send innocuous.jpg
This should print out a code like:
On the other computer, please run: wormhole receive (or wormhole-william recv)
Wormhole code is: 1-unicorn-clamshell
So we're going to remember that code, and on the target machine, type:
wormhole-william recv 1-unicorn-clamshell
Wait for the transfer bar to fill up and bam, you're done. If this didn't work, it might be because magic-wormhole.io
, the website that's used for PAKE authentication (note: it does not actually transfer the file itself, so no man-in-the-middle is possible) is blocked. You can solve this by setting up your own Wormhole relay or using an alternate one.
Worst comes to worst, you could buy your own safe-sounding *.com
off of Namecheap and run the relay from there before anybody's the wiser. But most IT departments haven't heard of magic-wormhole
, so it's likely they haven't blocked to domain.
Why this works
We avoided all the things that "Insider Threat Protection Software" usually looks for:
- We never touched a file explorer (except to download our file)
- We never explicitly copied or moved the file (just through STDIN, or raw memory)
- We encrypted the new file with our own password, making it unparsable by watchers
- We never touched a web browser for our file upload
- We never even technically performed an HTTP file transfer
So, what does this look like to file system watchers and internal threat protection?
- We downloaded a sensitive file
- We created a new binary file from memory. Looks like: any sort of temporary or cache file, either from MS Word or maybe browsing history from Chrome
- We sent a tiny little request with no sensitive data to
magic-wormhole.io
(or the relay you set up on your own*.com
). Looks like: visiting a normal, safe website. - Then we used WebSockets to interact with some web content. Looks like: watching a YouTube video or participating in Teams chat. Lots of sites use WebSockets.
The easiest way this could fail
Windows SmartScreen might catch wormhole-william.exe
as an "untrusted", and it might be possible for a sysadmin to disable anything from running that isn't SmartScreen verified. However, I've never seen SmartScreen do anything other than ask for the user's permission, so just hit "Run Anyway" and pray to God that your sysadmin doesn't check the SmartScreen logs. Don't worry--they probably don't.
Oh, but don't worry, there are PowerShell scripts out there that bypass SmartScreen, like Invoke-Obfuscation.
So it seems pretty easy to just trick SmartScreen into thinking you're not running an unsigned program, so just use the above or follow one of the many methods listed on the wider internet by searching "bypass SmartScreen".
Disclaimer: I haven't used any SmartScreen bypassers, and cannot vouch for them, but hey, we're all here to have fun, and I trust public and well-starred GitHub repos more than I trust proprietary corpo-ware.