I was largely drawn to the subject of data exfiltration over DNS after some recent exposure in my professional and personal life. Firstly, while working in security I noticed DNS requests padded with junk characters. Although these requests were blocked, I found it quite puzzling and never forgot. Fast forward by several months after observing my first suspicious DNS query similar to that of what we see in DNS data exfiltration. I decided to take the eJPT "e-learn Junior Penetration Tester" exam and encountered a practice lab regarding data exfiltration with DNS. This was an ah-haa moment(Light bulb) as I was working my way through the lab.

The mitre model defines exfiltration as follows; exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Put it in context

Usually in these situations there is a compromised device, whether a user clicked a phishing link that downloaded malware, or the bad actor exploited a vulnerability to gain a reverse shell. Regardless, as a part of the kill chain cycle the attacker will desire to maintain access to the compromised system while flying under the security radar avoiding detection from SIEMS, and DFIR analysts down the road. Quite often a command and control server is involved that receives and sends instructions. It goes without saying that to send C&C instructions in plain sight will most likely compromise an attackers activity. As a result crafty methods have developed and deployed to avoid these detections while transmitting instructions.

This is where DNS comes in, as it is the perfect candidate for establishing a tunnel that contains data by which it can pass through those perimeter and network security devices. This is done In order to establish a successful DNS tunnel to an external device. The attacker must be the owner of an active domain. The malware or bad actor will send DNS query's to the malicious domain. From here. those DNS requests are logged under syslogs and parsed from there with tools like packet whisperer and wireshark.

Modern and traditional DNS exfiltration methods

A traditional DNS exfiltration attack will simply involve the data being exfiltrated in plain text, or encoded with Base 64 encoding, while betting everything on DNS cache updating being disabled otherwise the process will not work. The problem here is that many SIEM tools have been adapted to detected these types of attacks, especially base 64 encoding pattterns. So the modern attacker has to adapt and evolve their strategy in order to bypass modern counter measures.

These types of attacks have evolved in many ways. Firstly, the prefix to the root domain will often have random characters appended to every request, to avoid DNS cache poisoning worries. Secondly, tools like cloakify are being used to break down data into small random strings before transmission, to make detection difficult for DFIR analysts and SIEM tools to detect. Finally, is the lack of reliance on end point connections during these attacks, which will be stateless.

Here is a chart to show what the typical DNS based exfiltration looks like.

These charts were provided by the talk at DefCon 26 by the author of packet whisperer.

Example case:

In this case, I am on a remote computer and want to transmit credentials.txt file over DNS.

The first step is to fire up PacketWhisper and select option 1 to transmit a file via DNS.

From here we select the desired file and can see that our file is cloaked using cloakify to obfuscate the file and stores it in tempFQDNlist.txt.

Here is where the now cloaked data is being temporarily stored.

Next we pick a transfer mode, and we will pick random subdomain FQDNs as this avoids DNS caching that can break our exfiltration process.

Lastly we pick our cipher

We are presented with an example of what the cloaked file looks like.

We then select a time delay between DNS queries, and following this the broadcast starts and we see several requests have timed out. This is because we do not actually have a live domain for our callbacks, and I have just pointed the DNS server of the target machine to our machine running Wireshark over the VPN.

Filtering for DNS traffic in Wireshark, quickly lights up our board with those same cloaked strings we were provided during the setup phase.

From here we simply save the pcap and use Packetwhisperer to decode the .pcap and easy peesy lemon squeezy.

Tools

I wanted to note some of the more common tools surrounding not only DNS data exfiltration but DNS tunneling. This is analogous to SSHUTTLE to tunnel TCP over SSH.

• Packet Whisperer - PacketWhisper - Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.

• Cloakify - CloakifyFactory & the Cloakify Toolset - Data Exfiltration & Infiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Defeat Data Whitelisting Controls; Evade AV Detection. Text-based steganography using lists. Convert any file type (e.g. executables, Office, Zip, images) into a list of everyday strings. Very simple tools, powerful concept, limited only by your imagination.

• DNSExfiltrator - DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.