Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

First stage - choosing hardware platform, installing OS

Before you start installing anything, you need to choose the best hardware platform for your particular needs - this choice determines both possible operating systems, and installation method:

Raspberry Pi - Raspbian or Ubuntu?

Choosing Raspberry Pi platform, you have to choose between Raspbian and Ubuntu. Differences:

  • Raspbian (32-bit only) - it's a clone of Debian, heavily modified for Raspberry Pi, with lots of additional tools, preconfigured to work in graphical mode
  • Raspberry Pi OS (64-bit Raspbian) - rather stay away from this version (as for December 2021) because of many small problems waiting to be fixed
  • Ubuntu 20.04 for Raspberry Pi - available in both 32-bit and 64-bit versions, only for Raspberry Pi 4 - its potential advantage is better compatibility with standard Ubuntu Server, and newer software versions (comparing to Debian/Raspbian)

32-bit or 64-bit OS?

If your chosen hardware has 3 GB RAM or less, we advise that you choose 32-bit version (if you have 32-bit and 64-bit version to choose). Also, if you choosed specialized hardware like Raspberry Pi, it is better to use a specialized distribution (eg. Raspbian), with dedicated kernel version and additional userland tools, than generic Ubuntu for ARM.

Kali Linux - full installation or Live USB Persistence mode?

If you choose Kali Linux, you have 2 options:

  1. Download install image for your chosen hardware architecture, and install it as primary OS on your computer.

  2. Download live image and do everything just like in stage 2 of Drive Badger installation:

    • write it to USB drive
    • create the third, encrypted persistent partition on that drive
    • each time boot the computer from this drive in Live USB Encrypted Persistence mode

The second option gives you additional capabilities: Kali Linux works exactly the same as it would be installed on your computer, allowing also to encrypt the target partition (which is not possible on Raspberry Pi). On the other hand, booting Kali Linux in this mode (even without encryption) requires having a screen and keyboard, to manually choose 4th or 5th option at each boot. So this mode is suitable mainly for laptops.

Second stage - installing and configuring Mobile Badger

Basic installation

Boot into your new Linux, make sure that you have working Internet connection, open the terminal, execute sudo su - to become root, and execute:

apt update
apt install git
git clone /opt/drivebadger
git clone /opt/drivebadger/external/compat
git clone /opt/drivebadger/external/ext-veracrypt
git clone /opt/drivebadger/config/ignore-known

Configuring and installing functional extensions

The above set of 4 repositories is a bare minimum - enough to run the exfiltration process, but not enough to achieve optimal performance, handle encrypted drives or network shares. Now you need to clone all chosen configuration repositories and hooks into respectively /opt/drivebadger/config and /opt/drivebadger/hooks directories:

Drive encryption keys

Mobile Badger supports 4 most important drive encryption methods: Apple FileVault, Bitlocker, LUKS and VeraCrypt. Of course, decryption is possible only when you obtained and installed encryption keys (either assigned to drives, or not).

For security reasons, in most cases you should keep your encryption keys in a private repository. See how to install private repositories.

Filesystem injectors

While Mobile Badger's main functionality is data exfiltration, it is also able to make changes to the copied filesystem: create files or directories, write data into them, rename, delete etc. This feature is called filesystem injection and is done by "injectors". See injectors-playground repository for example scripts.

After you create your own injector repositories, you need to clone them into /opt/drivebadger/injectors directory.

Arming the device

Make sure that you cloned everything that you want to use. Then open the terminal, execute sudo su - to become root, and execute:

cd /opt/drivebadger/setup/mobile && ./

This will "arm" your computer by enabling custom systemd rules that intercept events of plugging in USB devices.

Example install script

You can find the example install script here - just remember, that it's an example, not a complete script.

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.