DNS File EXfiltration

Data exfiltration is a common technique used for post-exploitation, DNS is one of the most common protocols through firewalls. We take the opportunity to build a unique protocol for transferring files across the network.

Existing tools have some limitations and NG Firewalls are getting a bit "smarter", we have been obliged to explore new combinations of tactics to bypass these. Using the good old fashion "HIPS" (Hidden In Plain Sigh) tricks to push files out

Installation

Client

apt-get install -y virtualenv python3 python3-pip git
git clone https://github.com/secdev/scapy
cd scapy
sudo python setup.py install && cd .. && sudo rm -rf scapy

virtualenv -p python3 dfex-client
cd dfex-client
source ./bin/activate

git clone https://github.com/ekiojp/dfex
cd dfex
pip3 -r requirements_client.txt install

Server

apt-get install -y virtualenv python3 python3-pip git
git clone https://github.com/secdev/scapy
cd scapy
sudo python setup.py install && cd .. && sudo rm -rf scapy

virtualenv -p python3 dfex-server
cd dfex-server
source ./bin/activate

git clone https://github.com/ekiojp/dfex
cd dfex
pip3 -r requirements_server.txt install

Usage

Client

Server

Presentations

Video

HITB GSEC (Aug 2019)

Slides

BSides Tokyo (Oct 2019)
HITB GSEC (Aug 2019) or HITB GSEC (Aug 2019)

ToDo

• DDFEX - Distributed DNS File Exfiltration
• Make the code nicer

Disclaimer

The tool is provided for educational, research or testing purposes.
Using this tool against network/systems without prior permission is illegal.
The author is not liable for any damages from misuse of this tool, techniques or code.

Author

Emilio / @ekio_jp

Licence

Please see LICENSE.