Data exfiltration tool PTP-RAT encodes data in pixel colour values

How to exfiltrate data from a machine that doesn’t have file transfer capabilities or whose Remote Desktop Protocol (RDP) connection has been locked down, making it impossible to send files?

PenTestPartners consultant Alan Monie has a solution: PTP-RAT (aka The Rat).

About PTP-RAT

PTP-RAT is a proof-of-concept tool for exfiltrating data over screen interfaces, and it does so by encoding the data meant for exfiltration in pixel color values and flashing the remote screen.

This small (12k when zipped), easily uploadable application has to be installed on the target computer (as sender) and on the receiving, remote computer (as receiver).

Sending a file is easy: just click on the “Send file” button, and choose the file you want to send. The screen begins to flash as the file is transmitted via the pixel colour values, and the receiver app starts taking screenshots at twice the transmission frequency.

“Each screen flash starts with a header. This contains a magic string, “PTP-RAT-CHUNK” followed by a sequence number,” Monie explained. “When [the receiver] detects a valid header, it decodes the pixel colour information and waits on the next flash. As soon as a valid header is not detected, it reconstructs all the flashes and saves the result to a file.”

The process is demonstrated in this video:

The tool’s limitations

Monie discovered that the RDP protocol slightly changes the colour values, destroying the encoded data. But, if he limits the encoding to 3 bits per pixel (1 bit for each RGB value in the pixel), no loss of data will be experience.

This choice was implemented in the tool, and allowed him to exfiltrate a 3MB file in a few seconds. Exfiltration of larger files will, naturally, take more time.