DNS for Out-of-Band Exfiltration

August 11, 2020

by Dennis

_______________

This is somewhat an advanced topic for a first post, but it is something recent for me and relevant for any level of cybersecurity. It is also something I struggled with immensely, despite its apparent simplicity.

Let’s break this down

This post covers the method to configuring DNS in a way that DNS requests will be forwarded to a server you control, allowing you to see the URL that was requested by some other server. This allows data to be hidden in the host section of the URL instead of an actual hostname. This is useful for exfiltrating data from an environment, because it is very often that DNS is permitted outbound even with very strict security rules.

Some Stuff Not Covered

This post will not cover the step of setting up your cloud VPS (virtual private server)– that generally can be done in a couple clicks on your cloud provider of choice and is well-documented elsewhere.

You will also need a domain name purchased from a name registrar to work with. I used Namecheap.

Let’s Start

First thing’s first. You have a server. Doesn’t matter what is on it, but we want the internet to be able to find it. So first we need to associate a name to the IP address of that server.

Go to your dashboard in Namecheap and click on manage next to the domain name you want to use.

Screenshot_of_Firefox

Create an A Record for Your Server

Click on Advanced DNS, then add the following A record. In this example, ns is the hostname (name of one specific server or resource with an IP) followed by the rest of the domain name ns.potato.monster. Under the “value” field, set the IP address of your VPS.

Screenshot_of_Firefox

Create an NS Record for Your Subdomain

Next, we want to configure an NS record. For our purposes, we care about two fields in the NS record. The host field specifies a subdomain that is to have its DNS resolution handled by the server specified in the “value” field. In the value field, put the name of your DNS server, in my case ns.potato.monster.

Screenshot of Firefox (8-11-20, 10-15-09 PM)

In the “host” field, you can put whatever subdomain you want. For example, if I put “fried”, any DNS request headed for a host in fried.potato.monster, will be referred to ns.potato.monster. So if you try to ping tasty.fried.potato.monster, Namecheap’s DNS server will hand off the request for ns.potato.monster to figure out.

Listen for Requests

That should be all the DNS setup necessary. Now I will ssh into my server and listen on port 53 using tcpdump. We specify -X to get a hex and ascii output for the data contained in the packets we pick up.

sudo tcpdump -X 'udp dst port 53'

With the listener up, I will try pinging knockknock.fried.potato.monster and see if we get anything.

Screenshot_of_iTerm2

You should get a DNS request (but you won’t resolve it because you are running tcpdump, not an actual DNS server). If not, check your firewall, recheck your DNS rules, and see if you can ping your nameserver directly.

Cheers!

What’s Next?

In the future, we will explore some concrete uses of this configuration to actually exfiltrate data. Something I have wanted to test is the tool called Iodine that allows you to browse the web with just the data returned in the subdomain URL.

We can also look at setting up a DNS server for the root of your domain, instead of a subdomain like fried.potato.monster.


Recent Posts


WTF is the Linux Shell?

DNS for Out-of-Band Exfiltration

nVis Custom Red Teaming Platform for CPTC

Hello Swift