Tutorial: How to exfiltrate or execute files in compromised machines with DNS Complete Guide by Blackhat Pakistan 2023

Today we will learn about How to exfiltrate or execute files in compromised machines with DNS

Culprits are constantly changing their modus operandi and using different strategies and ways to compromise their targets and exfiltrate data from the internal networks, indeed in the most delicate situations. For illustration, TCP business is blocked by dereliction in a network, and the communication between a vicious agent installed on a specific target with its C2 garçon isn’t possible. In those kinds of scripts, using other network protocols like ICPM and DNS could be the perfect vehicle to negotiate the hard task of transferring internal information over the walls.

What is DNS protocol

The DNS protocol is decreasingly being used as a pathway for data exfiltration, indeed by infected bias preliminarily infected by trouble interposers during its vicious conditioning. DNS tunneling involves transferring the network business via DNS harborage 53, which is frequently audited and flagged by network firewalls, indeed coming- generation bones
.

vicious software can use especially drafted requests to take advantage of the DNS protocol and shoot only well- defined gobbets in the middle of a implicit licit DNS business. Figure 1 below shows how the introductory data about a target machine could be transferred between the internal agent and its C2 garçon available on the internet.( CLICK IMAGES TO ENLARGE)

As presented over, the sensitive data can be added at the middle of a request, in raw formate( 1 and 2), or indeed using a hexadecimal encoder( 3), the stylish way to avoid implicit not accepted skivvies
.

In general, the vary of data stolen by culprits may include

• face-to-face identifiable information( PII) similar as introductory details, credit card, social security figures and so on.
• Regulated data related to Payment Industry Data Security Standard( PCI DSS) and Health Insurance Portability and Responsibility Act( HIPAA) compliance.
• Intellectual property gives an association or culprits a competitive advantage.
• Other sensitive information includes nonpublic information, documents, contracts, company financials, payroll information, emails and every critical secret.

Data encryption malware is an excellent system to introduce the subject. As the system used by culprits during the ransomware has changed, now they’re using the stolen data to put the victims on alert, publishing the secrets on dark web forums to force the victims to pay the rescue. culprits exfiltrate the data before cracking all the data.

still, the exfiltration of data from internal networks is frequently seen as a big challenge, as security products block TCP business. At this point, DNS protocol can be abused to communicate with the Internet when TCP gregarious business isn’t possible by dereliction.

Also Read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023

Tutorial DNSStager

DNSStager is an open- source tool used to hide a vicious cargo over DNS, recoup it via multiple DNS records similar as IPv6 and TXT, and fit the full cargo into memory. rather of only carrying data from the internal network, we can produce a strong connection like a C2 garçon to execute 2nd stage loads on the target machine.

In short, DNSStager creates a mischief DNS garçon that resolves fake requests to AAAA and TXT records. These requests are a knob of the cargo( completely decoded and translated) and ready to be used by the DNSStager agent. This tool can induce C or GoLand agents, a configuration defined before starting the laboratory.

Figure 2 shows how DNSStager works and how the garçon resolves a request.

In detail, the “client.exe ” train illustrated in Figure 2 over is the DNSStager agent created and dropped on the target machine. DNSStarger encodes the vicious cargo, resolve it into gobbets, and makes it ready to resolve via the “client.exe ” agent C or GoLand depending on the nature of the asked script).

After entering all the information via DNS protocol and avoiding network walls, the agent will fit the final cargo into the memory and execute the shellcode that implements process/ memory injection ways.

To start this trip, we’re furnishing below the essential way to conduct this laboratory with success.

1. DNSStager installation and execution

To install DNSStager, it’s necessary to clone it first from the official repository using the following command, install it, and execute it.

git clone https://github.com/mhaskar/DNSStagerpip3 install -r requirements.txt apt install mingw-w64 ./dnsstager.py

2. Configuring the DNS server

The first step is pointing the sphere to the DNSStager IP address to resolve and handle any DNS request rightly.

For illustration, controlling a sphere called “mydnsserver.live ”, we can produce a subdomain called “test.mydnsserver.live ” and mademydnsserver.live the “ NS ” – Name Garçon oftest.mydnsserver.live after running DNSStager onmydnsserver.live.

As observed in Figure 4, any request coming to the domain test.mydnsserver.live will be handled by mydnsserver.live, which is the DNSStager instance that we are running.

3. DNSStager options

DNSStarger is equipped with a lot of functionalities.

The “- sphere ” option is used to elect the primary sphere used to handle the DNS requests, in this case, “test.mydnsserver.live ”. also, as a way of bypassing firewalls, the “- prefix ” option can be used to add a prefix as “ cdn ”. Some exemplifications are presented below.

The other options are described below

• – cargo the DNSStager cargo “ agent ” generated.
• – affair Affair path to save DNSStager executable cargo “ agent. ”
• –shellcode_path The raw/ caddy shellcode path.
• – xorkey XOR key to render the cargo with.
• – sleep Used to sleep for N seconds between each DNS request.

In addition, the available loads can be vindicated by using the flag “ – loads ”

4. Generate the payload/agent

DNSStager cipher the cargo using XOR encoder/ encrypter. The XOR key can be specified by using the command “ – xorkey ”.

The complete command can be observed then