A DNS exfil tool, for smuggling data from a compromised machine using outgoing DNS lookups, with data hidden in the subdomains.
This project is still under construction, and is not yet feature complete
DNS exfiltration is where data is sent from a compromised machine to a nameserver controlled by the attacker. The data is hidden in subdomains, and sent out via DNS lookups. This may evade detection where DNS lookups are not monitored.
COMPROMISED ATTACKER'S
MACHINE NAMESERVER
DNS lookup: where is
___________ "[hidden-data].example.com"? __________
| DNS Exfil | -----------------------------> | DNS |
| Tool | | Receiver |
|___________| <----------------------------- |__________|
IP address |
exfiltrated |
hidden data |
v
.----.
( )
|'----'|
| |
| DB |
( )
'----'
This project consists of two parts:
- DNS Exfil Tool - a small binary for turning data into fully qualified domain names (FQDN's), and sending DNS lookups
- DNS Receiver - a tool that pretends to be a nameserver, receives exfiltrated data, and decodes/reassembles it.
You will need a cloud server to install the DNS Receiver. Start running the nameserver. Register a domain name for your
nameserver (such as nameserver.com), then register a domain name for exfiltration (such as example.com). You will
need to tell the registrar that nameserver.com is the nameserver for *.example.com domains. The nameserver will then
receive DNS lookups from any machine asking for [hidden-data].example.com. Your dns_receiver binary will receive
these requests, and log the hidden data. The det binary sends them, and should be installed on the target machine.
To build the DNS Receiver:
cp ./cmd/dnsreceiver/config/.env.example ./cmd/dnsreceiver/config/.env- Manually edit
./cmd/dnsreceiver/config/.envto your needs make build-dnsreceiver
To build the DNS exfil tool:
cp ./cmd/dnsexfiltool/config/config.ini.example ./cmd/dnsexfiltool/config/config.ini- Manually edit
./cmd/dnsexfiltool/config/config.inito your needs make build-dnsexfiltool
Your binaries will end up in ./bin/.
The DNS Receiver is dependent on a .env file like the one in ./dns_receiver/config/.env.example. You may override
these settings with environment variables on the server, which take precedence.
For the DNS Exfil Tool, however, you will need to set the ./dns_exfil_tool/config/config.toml file, which will be
included in the binary at compile time. You do not need the ability to copy your config file onto the target machine.
You do not need the ability to set environment variables on the target machine. You only need to get the binary itself
onto the target machine, and cause it to execute. For this convenience, the trade-off is that recompiling the binary is
the only way to change its configuration.
This is the main command for running the nameserver/listener that will receive DNS lookups. It is here that the exfiltrated data will be received.
After building as per the README.md file in the project root, you can test the nameserver by doing the following:
sudo ./dns_receiver/bin/dnsreceiver --config "./dns_receiver/config/.env"
Your binary must be run with sudo if you set the DNS port number to 53 (or anything below 1000). In another tab,
dig @127.0.0.1 -p 9953 example.com
Ensure you are sending to the port number you configured. You should see the correct IP address returned to you.
You can run the tests with this command:
make test
Build everything with:
make build