We covered DNS tunneling technique along with SSH Dynamic port forwarding that are used to perform DNS data exfiltration. This was part of TryHackMe DNS Data Exfiltration room.

OSCP Study Notes

OSINT Study Notes

What is Data Exfiltration

Data Exfiltration is the process of taking an unauthorized copy of sensitive data and moving it from the inside of an organization’s network to the outside. It is important to note that Data Exfiltration is a post-compromised process where a threat actor has already gained access to a network and performed various activities to get hands on sensitive data. Data Exfiltration often happens at the last stage of the Cyber Kill Chain model, Actions on Objectives.

Data exfiltration is also used to hide an adversary’s malicious activities and bypass security products. For example, the DNS exfiltration technique can evade security products, such as a firewall.

Sensitive data can be in various types and forms, and it may contain the following:

  • Usernames and passwords or any authentication information.
  • Bank accounts details
  • Business strategic decisions.
  • Cryptographic keys.
  • Employee and personnel information.
  • Project code data.

How to use Data Exfiltration

There are three primary use case scenarios of data exfiltration, including:

  1. Exfiltrate data
  2. Command and control communications.
  3. Tunneling

DNS Data Exfiltration

Since DNS is not a transport protocol, many organizations don’t regularly monitor the DNS protocol! The DNS protocol is allowed in almost all firewalls in any organization network. For those reasons, threat actors prefer using the DNS protocol to hide their communications.

The DNS protocol has limitations that need to be taken into consideration, which are as follows,

  • The maximum length of the Fully Qualified FQDN domain name (including .separators) is 255 characters.
  • The subdomain name (label) length must not exceed 63 characters (not including .com, .net, etc).

Based on these limitations, we can use a limited number of characters to transfer data over the domain name. If we have a large file, 10 MB for example, it may need more than 50000 DNS requests to transfer the file completely. Therefore, it will be noisy traffic and easy to notice and detect.

C2 frameworks use the DNS protocol for communication, such as sending a command execution request and receiving execution results over the DNS protocol. They also use the TXT DNS record to run a dropper to download extra files on a victim machine. This section simulates how to execute a bash script over the DNS protocol. We will be using the web interface to add a TXT DNS record to the tunnel.com domain name.

Practical Setup:

  • The setup involves creating a DNS tunnel between an attacker machine (server) and a victim machine (client).
  • Tools:
    • iodine is used for both server and client configurations, with iodined running on the server to initiate the tunnel.
  • Steps:
    • The attacker configures iodine on the server side with specific options for the DNS name and IP.
    • The victim machine runs iodine to connect to the server, establishing the DNS tunnel.

Data Transfer and Network Access:

  • Once the tunnel is up, Dynamic Port Forwarding via SSH is set up from the attacker machine, allowing access to network resources within the victim’s network through the tunnel.

Commands for Network Access:

  • The video demonstrates using curl or proxy tools to access internal network resources from the attacker machine, with curl configured for SOCKS5 on port 1080.

Security and Verification:

  • Network Interfaces: Checking interfaces with ifconfig shows dns0, the new interface created by iodine on the victim.
  • Challenge Verification: The task on TryHackMe involves accessing a test page via DNS tunneling to confirm successful access, with flag retrieval verifying the task completion.

DNS Tunneling

This technique is also known as TCP over DNS, where an attacker encapsulates other protocols, such as HTTP requests, over the DNS protocol using the DNS Data Exfiltration technique. DNS Tunneling establishes a communication channel where data is sent and received continuously.

You can use the iodine tool for creating our DNS tunneling communications by following the below steps:

  1. Ensure to update the DNS records and create new NS points to your Attack machine.
  2. Run iodined server from your Attack machine.
  3. On the target machine, run the iodine client to establish the connection. (note for the client side we use iodine – without d)
  4. SSH to the machine on the created network interface to create a proxy over DNS. We will be using the -D argument to create a dynamic port forwarding.
  5. Once an SSH connection is established, we can use the local IP and the local port as a proxy in Firefox or ProxyChains.

Check out the video below for detailed explanation.

Room Answers | TryHackMe Data Exfiltration

In which case scenario will sending and receiving traffic continue during the connection?

Tunneling

In which case scenario will sending and receiving traffic be in one direction?

traditional data exfiltration

FExfiltration using TCP sockets relies on ____________ protocols! 

non-standard

The newly All packets sent using the Data Exfiltration technique over SSH are encrypted! (T=True/F=False)

T

Check the Apache log file on web.thm.com  and get the flag!

THM{H77P-G37-15-f0un6}

When you visit the http://flag.thm.com/flag website through the uploader machine via the HTTP tunneling technique, what is the flag?

THM{H77p_7unn3l1n9_l1k3_l337}

In which ICMP packet section can we include our data?

Data

Follow the technique discussed in this task to establish a C2 ICMP connection between JumpBox and ICMP-Host. Then execute the “getFlag” command. What is the flag?

THM{g0t-1cmp-p4k3t!}

Once the DNS configuration works fine, resolve the flag.thm.com  domain name. What is the IP address?

172.20.0.120

What is the maximum length for the subdomain name (label)?

63

The Fully Qualified FQDN domain name must not exceed ______ characters.

255

Execute the C2 communication over the DNS protocol of the flag.tunnel.com. What is the flag?

THM{C-tw0-C0mmun1c4t10ns-0v3r-DN5}

When the iodine connection establishes to Attacker, run the ifconfig command. How many interfaces are? (including the loopback interface)

4

What is the network interface name created by iodined? 

dns0

Use the DNS tunneling to prove your access to the webserver, http://192.168.0.100/test.php . What is the flag?

THM{DN5-Tunn311n9-1s-c00l

Video Walkthrough | TryHackMe DNS Data Exfiltration

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles