Hacker News new | comments | show | ask | jobs | submit login
Exfiltrate Files with DNS Queries (16s.us)
44 points by 16s 1543 days ago | hide | past | web | 26 comments | favorite

Dan Kaminsky a couple of years ago did a talk about this, as well as using DNS to cache files...


Exfiltrating using DNS, or VPN over DNS and the various other techniques are not new.

They do show how difficult it is to police data from leaving ones network.

This is an actual working example, not theory on how to do it. IMO, that's what makes it significant. Lot's of people talk about how this can be done, few show actual working examples (with source code) that others can re-create on their networks.

Sorry to rain on your parade, but Dan Kaminsky additionally wrote an implementation called ozymandns in 2005 or so:


I use it when I need an ssh or web connection in extremely hostile environments that only allow free DNS queries out, like some planes, buses, establishments, etc.

There are also links to other implementations here: http://en.cship.org/wiki/OzymanDNS

Those examples tunnel traffic over DNS. They do not specifically break large files up into small chunks and exfiltrate them off of a secure network with simple DNS queries.

Sure, yes. All those examples (ozyman, iodine, etc.) tunnel arbitrary traffic over DNS, whereas yours is more traffic-efficient in essentially being a static file server via DNS, I suppose?

Tunneling traffic over DNS is breaking up files (data) into chunks (packets) and exfiltrating off of a network through DNS.

Don't get me wrong, it's nice to see a simple example like yours, but projects like http://code.kryo.se/iodine/ do essentially (from an abstract perspective) the same thing.


  scp localfile user@tunnelhost:/some/place
does that. The sample is cool, I really like digging into that stuff. But it's not really different from ozyman/iodine.

Would this work after caching? I suppose you could hash the data so the "hostnames" are different each time, forcing an auth lookup.

It encodes a 4-byte sequence number in the base64 glop before the 8-byte chunk of data, so all of the DNS labels generated for a file should be unique.

This seems to use base64, DNS is case insensitive so really it should use base32 or some other encoding scheme. However DNS is usually case preserving so it will likely work.

Unless the recursive nameserver in use happens to implement this hack for improved security: http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00

Supported in Unbound with `use-caps-for-id` http://www.unbound.net/documentation/unbound.conf.html

I love unbound.

There's a comment in the source code about b64:

# If you don't like non-valid characters in the hostname,

# then use hex encoding rather than base64

So far, I've not encountered a failure using b64 encoding. But that could be an issue. And as you say, other encodings could be used if that does prove to be a problem.

Don't just get files, use DNS for Command and Control too.


After I wrote that blog post, I also added the ability to tunnel traffic through Beacon when its checking in several times each second. Recently, I added the ability for it to download a large file, a piece at a time, with each checkin. The size of the piece depends on the data channel (DNS vs. HTTP). It's all encrypted too.

- http://blog.strategiccyber.com/2013/06/20/thatll-never-work-...

- http://blog.strategiccyber.com/2013/07/09/hacking-through-a-...

Cobalt Strike is a commercial tool, so it better include the bells and whistles. The OP does a good job of showing code that anyone can play with, right now.

Dan Kaminsky's BlackHat presentations on OzymanDNS are excellent as well.

I really like your blog post and your ideas.

With new versions of BIND 10 allowing Python scripting, PowerDNS with Lua scripting and Unbound with Python, I think we'll start seeing more corps controlling DNS queries (or attempting to do so) with whitelists/blackslists, but for the time being, things are mostly wide-open.

The author of sqlmap added DNS exfiltration for blind SQL injection last year. Really creative technique (DNS stack doubled the size of sqlmap code-base).

Paper: http://arxiv.org/pdf/1303.3047.pdf

Slides: http://www.slideshare.net/stamparm/dns-exfiltration-using-sq...

8 bytes at a time.

Wouldn't that mean 100's, 1000's or 10's of thousands of requests for nonsensical subdomains of the same domain name (and that domain name is probably a silly one if you got it recently for 10 bucks).

This is not anomalous DNS traffic? My imagination just does not stretch this far. If the title was just "Transfer a file via DNS", maybe I could play along.

I think nstx preceded iodine.

Here's another one no one has mentioned yet:


What I'd really like to see is an implementation of lcamtuf's old, pre-cloud/dropbox idea: daemon caches, specifically recursive DNS caches, as free, (temporary) distributed storage. Anyone can store data for free on 100's of 1000's of networked computers worldwide, otherwise known as recursive DNS caches. Currently we only store "domain names" on these servers, but as the OP shows, it's possible to encode more information into requests than just domain names.

Imagine if the encoded data was an image. With most recursive DNS servers, the data expires upon the TTL expiry. Snapchat via DNS.

This is a hack of mine that stores files in public DNS caches. It's a horrible, hack and slow but it does work.


Some caches, like dnscache (and thus OpenDNS), may not respond to non-recursive queries. Would this break your dns_peek function?

Correct, it requires the cache to respond to queries with the recursion bit disabled.

It will also probably behave in "interesting" ways when run against a resolver that's on an anycast IP and doesn't synchronize.

    "When/if the network security team figures this out and 
    blocks it, I'll demonstrate a few other ways in which data 
    can be exfiltrated."
I loved this line.

He mentions blocking there, but given the technique, could forensics show that this has been used? For example, could some future whistleblower for a national security agency (ours or anyone else's for that matter) use this to exfiltrate files without risk of discovery after the fact?

Could an organization like wikileaks or the guardian use this as a technique for whistleblowers to leak files safely?

In a well-monitored environment, it should draw attention and cause them to investigate the internal host making the queries.

People have been doing covert channels over DNS in the wild since <2001. Fast forward 12 years, and this is the new 'my first socket app'.

there was a related talk [1] at the usenix 2013 in which this (quite old i might add) method of information ex-filtration was analyzed.

bottom line: amateurs get caught.

[1] https://www.usenix.org/conference/usenixsecurity13/practical...

Could gifsockets be used to exfiltrate a file as well?


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact