• Stars
    star
    397
  • Rank 108,561 (Top 3 %)
  • Language
    Go
  • License
    MIT License
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Surreptitiously exfiltrate data from the browser over DNS

browsertunnel

CircleCI

Browsertunnel is a tool for exfiltrating data from the browser using the DNS protocol. It achieves this by abusing dns-prefetch, a feature intended to reduce the perceived latency of websites by doing DNS lookups in the background for specified domains. DNS traffic does not appear in the browser's debugging tools, is not blocked by a page's Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios.

It's an old techniqueโ€”DNS tunneling itself dates back to the '90s, and Patrick Vananti wrote about using dns-prefetch for it in 2016, but as far as I can tell, browsertunnel is the first open source, production-ready client/server demonstrating its use. Because dns-prefetch does not return any data back to client javascript, communication through browsertunnel is only unidirectional. Additionally, some browsers disable dns-prefetch by default, and in those cases, browsertunnel will silently fail.

The project comes in two parts:

  1. A server, written in golang, functions as an authoritative DNS server which collects and decodes messages sent by browsertunnel.
  2. A small javascript library, found in the html/ folder, encodes and sends messages from the client side.

How it works

Browsertunnel can send arbitrary strings over DNS by encoding the string in a subdomain, which is forwarded to the browsertunnel server when the browser attempts to recursively resolve the domain.

Longer messages that cannot fit in one domain (253 bytes) are automatically split into multiple queries, which are reassembled and decoded by the server.

Setup and usage

First, set up DNS records to delegate a subdomain to your server. For example, if your server's IP is 192.0.2.123 and you want to tunnel through the subdomain t1.example.com, then your DNS configuration will look like this:

t1		IN	NS	t1ns.example.com.
t1ns		IN	A	192.0.2.123

On your server, install browsertunnel using go get. Alternatively, compile browsertunnel on your own machine, and copy the binary to your server.

go get github.com/veggiedefender/browsertunnel

Next, run browsertunnel, specifying the subdomain you want to tunnel through.

browsertunnel t1.example.com

For full usage, run browsertunnel -help:

$ browsertunnel -help
Usage of browsertunnel:
  -deletionInterval int
    	seconds in between checks for expired messages (default 5)
  -expiration int
    	seconds an incomplete message is retained before it is deleted (default 60)
  -maxMessageSize int
    	maximum encoded size (in bytes) of a message (default 5000)
  -port int
    	port to run on (default 53)

For more detailed descriptions and rationale for these parameters, you may also consult the godoc.

Finally, test out your tunnel! You can use my demo page here or clone this repo and load html/index.html locally. If everything works, you should be able to see messages logged to stdout.

For real-world applications of this project, you may want to fork and tweak the code as you see fit. Some inspiration:

  • Write messages to a database instead of printing them to stdout
  • Transpile or rewrite the client code to work with older browsers
  • Make the ID portion of the domain larger or smaller, depending on the amount of traffic you get, and ID collisions you expect
  • Authenticate and encrypt messages for secrecy and tamper-resistance (remember that DNS is a plaintext protocol)

More Repositories

1

torrent-client

Tiny BitTorrent client written in Go
Go
1,606
star
2

open-and-shut

Type in Morse code by repeatedly slamming your laptop shut
Shell
939
star
3

typing

An experimental interactive README experience!
Go
152
star
4

sounds

Turn images into sounds viewable on a spectrogram!
Processing
110
star
5

pyc-secret-lab

Python
62
star
6

projectordino

Play the Chrome T-Rex game by physically jumping
JavaScript
54
star
7

hn-friends

Highlight and tag your friends on Hacker News
JavaScript
44
star
8

marveloptics_malware

Deobfuscated + reverse engineered javascript malware
JavaScript
28
star
9

tty-countdown

TTY countdown timer inspired by tty-clock
Python
19
star
10

chrome-filesystem-timing

Detecting incognito mode by timing the Chrome FileSystem API
HTML
11
star
11

terminal-waifu

http://jse.li/terminal-waifu/
CSS
10
star
12

http-server

A minimal HTTP server implemented from scratch using Python sockets and threads
Python
9
star
13

dns

toy recursive DNS resolver that does its own parsing and socket communication, just for fun
Python
8
star
14

flag-dvd

HTML
6
star
15

lhp

LHP Hypertext Preprocessor - A Cloudflare Worker that lets you embed Lua code on a web page as if it were PHP
C
5
star
16

miraculousladybot

Logs tumblr fanfictions to a psql database and generates fanfictions using markov chains
Python
5
star
17

arXiv_dump

Download all arXiv papers
Shell
5
star
18

luks_backdoor

Places a backdoor on a Luks encrypted partition via an unprotected initramfs
Shell
5
star
19

omen

Markov chain library
Python
5
star
20

s-h-a-n-p-e-s

S H A N P E S
JavaScript
4
star
21

terminal-twilight-zone

Play "You've just crossed over into the twilight zone" upon entering a git repository.
Shell
4
star
22

wordle-reverse

Draw pictures using the squares in Wordle.
HTML
4
star
23

ohio

๐Ÿ™ˆ
Python
3
star
24

electron-store-encryption

Breaking electron-store's encryption
JavaScript
3
star
25

dotfiles

i3 config
Shell
3
star
26

tictactoe-powerpoint

Play tic-tac-toe in PowerPoint
Python
3
star
27

notebooks

Jupyter Notebook
2
star
28

rgb

ruth gader binsburg
HTML
1
star
29

speedy

https://jse.li/speedy/
JavaScript
1
star
30

data-structures

Homework code for a data structures course
Java
1
star
31

protohackers

Go
1
star
32

dear_zack

an open letter to my brother
HTML
1
star
33

projectorface

this code is not great
Python
1
star
34

strange-autoblog

Posts to a blog after each TF2 session detailing the number of kills you got on a strange weapon
Python
1
star