DNS Manipulation

Date: 17, May, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Introduction

• Techniques used to exfiltrate and infiltrate data.

• Client machine reaches out to a DNS server to resolve a Fully Qualified Domain Name (FQDN) to an IP address.

• DNS is being used as a Data Exfiltration and Data Infiltration tool via DNS queries.

• DNS Tunneling and how it is used to tunnel different protocols like (HTTP) through DNS.

What is DNS?

• Domain Name System refers to a naming system that resolves domain names with IP addresses.

If you were on Windows, what command could you use to query a txt record for 'youtube.com'?

• Answer: nslookup -type=txt youtube.com

If you were on Linux, what command could you use to query a txt record for 'facebook.com'?

• Answer: dig facebook.com TXT

AAAA stores what type of IP Address along with the hostname?

• Answer: IPv6

Maximum characters for a DNS TXT Record is 256. (Yay/Nay)

• Answer: Nay (It is 255 characters)

What DNS Record provides a domain name in reverse-lookup?

• Answer: PTR

What would the reverse-lookup be for the following IPv4 Address? (192.168.203.2)

• Answer: 2.203.168.192.in-addr.arpa

• Steps to Reproduce:

DNS Exfiltration

• DNS Exfiltration is a cyberattack on servers via the DNS, which can be performed manually or automatically.

  • In a manual scenario, attackers often gain unauthorized physical access to the targeted device to extract data from the environment.

  • In automated DNS exfiltration, attackers use malware to conduct the data exfiltration while inside the compromised network.

• DNS is a service that will usually be available on a target machine and allowing outbound traffic typically over TCP or UDP port 53. This makes DNS a prime candidate for hackers to use for exfiltrating data.

• Data Exfiltration

  • Data exfiltration through DNS could allow an attacker to transfer a large volume of data from the target environment.

  • Moreover, DNS exfiltration is mostly used as a pathway to gather personal information such as social security numbers, intellectual property, or other personally identifiable information.

• How it's done?

  • DNS exfiltration is mostly used by adding strings containing the desired 'loot' to DNS UDP requests.

  • The string containing the loot would then be sent to a rogue DNS server that is logging these requests.

    • To the untrained eye this could look like normal DNS traffic or these requests could be lost in the shuffle of many legit DNS requests.

What is the maximum length of a DNS name?

• Answer: 253 (Length includes dots)

  • This limits how much data we can exfiltrate in a single request!

DNS Exfiltration Practice - Orderlist

• Login into the machine and check the task file in order folder:

• Check all the dns queries:

• The domain name used to EXFILTRATE data: badbaddoma.in

• Run packetyGrabber.py to decode the data in pcap file:

ORDER-ID: 1, What is the Transaction name?

• Answer: Network Equip.

TRANSACTION: Firewall, How much was the Firewall?

• Answer: 2500

DNS Exfiltration Practice - identity

• Check the task file in the identity folder:

Which file contains suspicious DNS queries?

• Answer: cap3.pcap

• Steps to Reproduce:

Enter the plain-text after you have decoded the data using packetyGrabber.py found in ~/dns-exfil-infil/ folder.

• Answer: administrator:s3cre7P@ssword

• Steps to Reproduce:

• The domain name used to EXFILTRATE data: badbaddoma.in

• Run packetyGrabber.py to decode the data in cap3.pcap file:

DNS Infiltration

• DNS infiltration defines the process where malicious code is ran to manipulate DNS servers either using automated systems where attackers connect remotely to the network infrastructure or manually.

• Use case

  • DNS infiltration is primarily used for file dropping or malware staging efforts. With behavioral, signature based, or reputation based threat detection systems it's possible this attack method could be caught.

  • However, if this method of transporting data goes unnoticed it could lead to malicious activity such as code execution in organization's environment. Historically, this has cased havoc and disruption for various well known companies.

• DNS protocol could be used as a covert protocol that could aid in malware staging and execution efforts to communicate back to an attacker's C2 (Command and Control) server/s.

• Demo

DNS Infiltration - Practice

• Check the task file:

Enter the output from the executed python file

• Answer: 4.4.0-186-generic

• Steps to Reproduce:

• Request the TXT Record for code.badbaddoma.in.

• Store the required data in the file using grep and cut.

DNS Tunneling

• Companies will typically have Firewalls, an IDSs (Intrusion Detection Systems) and/or and IPSs (Intrusion Protection Systems) in place in order prevent/alert when unwanted inbound and outbound protocols pass through their network.

• The one protocol that is rarely monitored by companies is DNS. Because of this, hackers are able to bypass a lot of the unwanted protocols by using DNS tunneling.

• Using Iodine

  • iodine - Client

  • iodined - Server

• To learn more about iodine - Click here

References

• DNS Root Servers

• DNS Root Servers - List

• DNS Zone

• Recursive DNS

• DNS Records

• Base 58 Encoding

Tools

• DNS - Exfil - Infil

• Iodine - Tunnel IPv4 data through a DNS server

• Iodine - Github