DNS Exfiltration
DNS exfiltration is a means of getting data off a compromised machine using DNS lookups to hide the data. Using DNS for exfiltration may help circumvent security restrictions or avoid detection.
DNS Exfiltration - Introduction
What is DNS Exfiltration?
An image representing data being exfiltrated from a computer DNS exfiltration can be a means of getting data off a compromised machine without detection
Why use DNS Exfiltration?
DNS exfiltration is a means for an attacker to get data off a compromised machine. There are many ways to exfil data, and we should value simplicity, but the use of DNS has its advantages. For example: some webservers may have a WAF that uses domain whitelisting to allow outgoing HTTP requests from the application only to pre-approved domains. DNS config changes are often at fault when large tech companies suffer downtime (such as the Facebook DNS failure), and sysadmins are rightly reluctant to introduce firewall rules that make DNS less likely to work. This may mean that getting data off a compromised webserver is simply easier with DNS exfil than it is by other means. Outbound DNS lookups may also be less closely monitored than things like SSH logins.
DNS Exfil System Architecture
DNS exfil requires two components: some code executing on the target machine, and a nameserver controlled by the attacker. The basic steps are as follows:
Obtain a Second Level Domain (example.com) for the exfiltration On the registrar, provide an IP address to use as a nameserver for *.example.com Set up a nameserver at that IP address. It should record all DNS lookups to a database Execute code on the target machine that breaks the data down into small chunks the size of subdomains Perform DNS lookups to [exfil-data].example.com The nameserver should then receive all the data via DNS.
Considerations in Encoding Data as Subdomains
Allowed Characters
Perhaps the best choice of allowed characters is to transpose the exfil data to base 36 ([a-z0-9]). A hyphen (-) is allowed in a subdomain, but not as the first symbol, so the attacker should probably avoid using it. Interestingly, the spec now allows Internationalised Domain Names, meaning that special characters are permitted. For the .no TLD, for example, Norwegian characters are valid. .com domains can have Korean, Chinese, and Greek characters. For large data exfiltrations, trading off portability w.r.t. TLD’s for a bigger character set may make sense.
Length
The whole domain name, including the SLD, and inclusive of any dots, can’t go above 253 bytes. The length of any one layer of subdomain must not exceed 63 bytes. Overall, taking 120 bytes of exfil data, transposing it into base 36, then presenting it as 3 * 62-symbol subdomain layers will work for a typical attack.
Transport Layer Considerations
DNS exfiltration happens over UDP. Packets may get dropped. Arranging for the nameserver to respond with a (random) IP address, and using this as an acknowledgement of receiving a lookup, may allow the attacker to augment the transport layer with some kind of retry system, but packets will still get dropped.
Other Data Treatment
Compression may be an attractive option, to minimise the number of ‘packets’ (i.e. domain names) that need to be exfilled. Encryption should also be an important consideration: the exfilled data is being sent ‘in the clear’, and may be sensitive. Sometimes the attacker may not care, but for legitimate red teaming or bug bounty hunting, it is important not to exfil a set of environment variables full of database passwords from a webserver without thinking about encrypting the transport layer. Remember that encryption should be done after compression, if applicable.
Think about encrypting the transport layer, where sensitive data is being exfiltrated
Summary
DNS exfiltration is by no means the simplest or easiest way of exfilling data from a compromised system. But it may provide a solution to evading security restrictions or monitoring that would otherwise be prohibitive. Take a look at my Golang DNS exfil tool on Github, still under construction at time of writing, for an example of DNS exfiltration in Go.