We covered DNS tunneling technique along with SSH Dynamic port forwarding that are used to perform DNS data exfiltration. This was part of TryHackMe DNS Data Exfiltration room.
What is Data Exfiltration
Data Exfiltration is the process of taking an unauthorized copy of sensitive data and moving it from the inside of an organization’s network to the outside. It is important to note that Data Exfiltration is a post-compromised process where a threat actor has already gained access to a network and performed various activities to get hands on sensitive data. Data Exfiltration often happens at the last stage of the Cyber Kill Chain model, Actions on Objectives.
Data exfiltration is also used to hide an adversary’s malicious activities and bypass security products. For example, the DNS exfiltration technique can evade security products, such as a firewall.
Sensitive data can be in various types and forms, and it may contain the following:
- Usernames and passwords or any authentication information.
- Bank accounts details
- Business strategic decisions.
- Cryptographic keys.
- Employee and personnel information.
- Project code data.
How to use Data Exfiltration
There are three primary use case scenarios of data exfiltration, including:
- Exfiltrate data
- Command and control communications.
- Tunneling
DNS Data Exfiltration
Since DNS is not a transport protocol, many organizations don’t regularly monitor the DNS protocol! The DNS protocol is allowed in almost all firewalls in any organization network. For those reasons, threat actors prefer using the DNS protocol to hide their communications.
The DNS protocol has limitations that need to be taken into consideration, which are as follows,
- The maximum length of the Fully Qualified FQDN domain name (including .separators) is 255 characters.
- The subdomain name (label) length must not exceed 63 characters (not including .com, .net, etc).
Based on these limitations, we can use a limited number of characters to transfer data over the domain name. If we have a large file, 10 MB for example, it may need more than 50000 DNS requests to transfer the file completely. Therefore, it will be noisy traffic and easy to notice and detect.
C2 frameworks use the DNS protocol for communication, such as sending a command execution request and receiving execution results over the DNS protocol. They also use the TXT DNS record to run a dropper to download extra files on a victim machine. This section simulates how to execute a bash script over the DNS protocol. We will be using the web interface to add a TXT DNS record to the tunnel.com domain name.
DNS Tunneling
This technique is also known as TCP over DNS, where an attacker encapsulates other protocols, such as HTTP requests, over the DNS protocol using the DNS Data Exfiltration technique. DNS Tunneling establishes a communication channel where data is sent and received continuously.
You can use the iodine tool for creating our DNS tunneling communications by following the below steps:
- Ensure to update the DNS records and create new NS points to your Attack machine.
- Run iodined server from your Attack machine.
- On the target machine, run the iodine client to establish the connection. (note for the client side we use iodine – without d)
- SSH to the machine on the created network interface to create a proxy over DNS. We will be using the -D argument to create a dynamic port forwarding.
- Once an SSH connection is established, we can use the local IP and the local port as a proxy in Firefox or ProxyChains.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Data Exfiltration
In which case scenario will sending and receiving traffic continue during the connection?
Tunneling
In which case scenario will sending and receiving traffic be in one direction?
traditional data exfiltration
FExfiltration using TCP sockets relies on ____________ protocols!
non-standard
The newly All packets sent using the Data Exfiltration technique over SSH are encrypted! (T=True/F=False)
T
Check the Apache log file on web.thm.com and get the flag!
THM{H77P-G37-15-f0un6}
When you visit the http://flag.thm.com/flag website through the uploader machine via the HTTP tunneling technique, what is the flag?
THM{H77p_7unn3l1n9_l1k3_l337}
In which ICMP packet section can we include our data?
Data
Follow the technique discussed in this task to establish a C2 ICMP connection between JumpBox and ICMP-Host. Then execute the “getFlag” command. What is the flag?
THM{g0t-1cmp-p4k3t!}
Once the DNS configuration works fine, resolve the flag.thm.com domain name. What is the IP address?
172.20.0.120
What is the maximum length for the subdomain name (label)?
63
The Fully Qualified FQDN domain name must not exceed ______ characters.
255
Execute the C2 communication over the DNS protocol of the flag.tunnel.com. What is the flag?
THM{C-tw0-C0mmun1c4t10ns-0v3r-DN5}
When the iodine connection establishes to Attacker, run the ifconfig command. How many interfaces are? (including the loopback interface)
4
What is the network interface name created by iodined?
dns0
Use the DNS tunneling to prove your access to the webserver, http://192.168.0.100/test.php . What is the flag?
THM{DN5-Tunn311n9-1s-c00l
Video Walkthrough | TryHackMe DNS Data Exfiltration