Exfiltrating Data Using DNS

I have been learning more about exfiltrating data using DNS requests at ine.com


After connecting to the lab machine, my first job was to find sensitive data. I used tree c:\ /f | more to look through the directories. The first thing I saw was a directory called sensitive with a .txt file called credentials inside it. I had a look at this using the type command (after trying cat as I'm so used to Linux!) 




I now needed to find a way to exfiltrate this data and bypass any egress filtering. I started by checking if any common ports were allowed for outbound connections. To do this, I used sudo python3 -m http.server 8080



I then used the browser on the target machine to try to connect to my simple HTTP server. I tried this using ports 80, 8080, 443 and 8443. I discovered that only port 8080 was allowed to access the public internet.



Next, I wanted to see if DNS lookups could be made from the target machine. To do this, I first of all had to reconfigure the DNS server on the target machine to be my attacking machine.




I then opened Wireshark on my attacking machine and filtered it for DNS traffic before performing an nslookup command on the target machine.


The DNS record requests which showed up in Wireshark let me know that DNS lookups were indeed permitted from the target machine. I therefore set up another Python3 http.server on port 8080 and served Packet Whisper to the target machine. I started a Wireshark capture on my attacking machine. I then ran Packet Whisper on the target machine and after using the default ciphers I transferred the data back to my attacking machine using DNS lookups.




The transfer completed successfully! I next saved the Wireshark capture as a .pcap file and decrypted it. The exfiltration had been successful!



The final part of the challenge was to find a way to automate the process of finding other ports which might be open and therefore available for use as a means to exfiltrate data from the target machine. To do this, I used the egresscheck-framework Python program from Github.



I used a Python3 http.server to serve the above Powershell script to the target machine using the .bat file it had been saved in. I then started a Wireshark capture on my attacking machine and executed the .bat file as an administrator on the target machine. I looked through the Wireshark capture once the Powershell script had ended and found a connection from port 9000.


I enjoyed learning more about data exfiltration using DNS lookups as it is a sneaky way to bypass egress filtering! :-)

Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more