Assume that you want to transfer data from one machine to another machine. If you use public email services, FTP or any other protocols, you will be easily get caught by software implemented like DLP(Data loss prevention). So, here we can Exfiltrate data via monitor pixel color values(Monitor Screen as Convert channel).
Data Exfiltration Scenario: Attacker has windows 10 machine located in India and same machine with VMware console or VNC running with another windows 10 located in united states. Now assume a person from India wants to send data to united states.
Display protocols such as RDP are blocked, such that it is not possible to transfer files.Here we can use Screen Interfaces as Channel for data exfiltration.
Download the PTP RAT HERE
PTP-RAT is a proof-of-concept tool for exfiltrating data over screen interfaces, it encodes data in pixel color values and flashing the remote screen to send the exfiltrated data.Each screen flash starts with a header that allows data theft via the screen.
- Above Figure illustrates the windows 10 located in united states with PTP-RAT is acting as Client to receive data from screen interface.
- The receiver is activated, it is waiting for a reply from PTP server to complete Sampling process with the Nyquist rate.
- Successful completion of sampling process will deliver exfiltrated data via the screen.
NOTE: Nyquist rate is the minimum rate at which a signal can be sampled without introducing errors.
- Above Figure illustrates the India server with PTP-RAT is acting as a server to send data to a PTP-RAT receiver with flashing.
- Click on the “Send file” button, and choose the file you want to send it.
- When the file is sent, your screen will be flashed with a gray screen which denotes sampling signal process started.
- Signal output file (exfiltrated data) will be transferred, a file-save dialog appears on the PTP-RAT receiver, and the file is saved.
NOTE: Flashing with gray screen denotes that sampling of a signal in progress.
Transfer data over screen interfaces
- Above Figure is called as Flashing or Signal Sampling.
- The mouse pointer disappears and the screen begins to flash with a gray screen as the file is transmitted via the pixel color values.
- It shows Confidential Data is exfiltrated with a gray screen.
Saving Exfiltrated Data
- After successfully completing sampling process with the gray screen, a file-save dialog appears on the receiver, and the file is saved.
- We have successfully received a file, GBhackersLogo.png from PTP sender.
PTP-RAT shows extreme bypass to implemented controls ( Hardware & Software Security Appliances).