DNS Tunneling Explained | TryHackMe DNS Data Exfiltration
We covered DNS tunneling technique along with SSH Dynamic port forwarding that are used to perform DNS data exfiltration. This was part of TryHackMe DNS Data Exfiltration room.
What is Data Exfiltration
Data Exfiltration is the process of taking an unauthorized copy of sensitive data and moving it from the inside of an organization’s network to the outside. It is important to note that Data Exfiltration is a post-compromised process where a threat actor has already gained access to a network and performed various activities to get hands on sensitive data. Data Exfiltration often happens at the last stage of the Cyber Kill Chain model, Actions on Objectives.
Data exfiltration is also used to hide an adversary’s malicious activities and bypass security products. For example, the DNS exfiltration technique can evade security products, such as a firewall.
Sensitive data can be in various types and forms, and it may contain the following:
- Usernames and passwords or any authentication information.
- Bank accounts details
- Business strategic decisions.
- Cryptographic keys.
- Employee and personnel information.
- Project code data.
How to use Data Exfiltration
There are three primary use case scenarios of data exfiltration, including:
- Exfiltrate data
- Command and control communications.
- Tunneling
DNS Data Exfiltration
Since DNS is not a transport protocol, many organizations don’t regularly monitor the DNS protocol! The DNS protocol is allowed in almost all firewalls in any organization network. For those reasons, threat actors prefer using the DNS protocol to hide their communications.
The DNS protocol has limitations that need to be taken into consideration, which are as follows,
- The maximum length of the Fully Qualified FQDN domain name (including .separators) is 255 characters.
- The subdomain name (label) length must not exceed 63 characters (not including .com, .net, etc).
Based on these limitations, we can use a limited number of characters to transfer data over the domain name. If we have a large file, 10 MB for example, it may need more than 50000 DNS requests to transfer the file completely. Therefore, it will be noisy traffic and easy to notice and detect.
C2 frameworks use the DNS protocol for communication, such as sending a command execution request and receiving execution results over the DNS protocol. They also use the TXT DNS record to run a dropper to download extra files on a victim machine. This section simulates how to execute a bash script over the DNS protocol. We will be using the web interface to add a TXT DNS record to the tunnel.com domain name.
DNS Tunneling
This technique is also known as TCP over DNS, where an attacker encapsulates other protocols, such as HTTP requests, over the DNS protocol using the DNS Data Exfiltration technique. DNS Tunneling establishes a communication channel where data is sent and received continuously.
You can use the iodine tool for creating our DNS tunneling communications by following the below steps:
- Ensure to update the DNS records and create new NS points to your Attack machine.
- Run iodined server from your Attack machine.
- On the target machine, run the iodine client to establish the connection. (note for the client side we use iodine — without d)
- SSH to the machine on the created network interface to create a proxy over DNS. We will be using the -D argument to create a dynamic port forwarding.
- Once an SSH connection is established, we can use the local IP and the local port as a proxy in Firefox or ProxyChains.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Data Exfiltration
Room answers can be found here.
