Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I realized that I needed a server for DNS exfiltration, so I finally set one up.
For those of unfamiliar with the topic, DNS Exfiltration is handy for blind SQL injection, bypassing captive portals, and general network exfiltration.
DNS Record
First, I setup a name server for a subdomain on my host. This would allow my host to act as the authoritative name server for any requests to that subdomain. For example, in this case, ANYTHING.d.r4y.pw would be resolved by 138.197.195.10.
Dnsmasq Installation
Once I completed the record, and after it propagated out, I installed Dnsmasq on my public server.
root@r4y-01:~# apt-get install Dnsmasq
Dnsmasq Configuration
After I finished installing Dnsmasq, I configured it to listen on my public IP, and return that same IP for any queries made to the server. This configuration would allow me to make a request to my newly configured name server, and get back a proper IP address. Additionally, I configured logging so that I could actually get the data out.
root@r4y-01:~# tail -5 /etc/dnsmasq.conf listen-address=138.197.195.10 address=/#/138.197.195.10 log-queries log-facility=/var/log/dnsmasq.log
Testing
Finally, after I had everything setup and configured, it was time to test the server.
To do so, I pinged a fake subdomain, and got a proper response back.
Once I completed the ping, I checked the Dnsmasq logs to make sure that the server had logged the “data”.
root@r4y-01:~# tail -f /var/log/dnsmasq.log Feb 28 20:24:39 dnsmasq[5606]: Ignoring query from non-local network Feb 28 20:25:48 dnsmasq[5458]: no servers found in /var/run/dnsmasq/resolv.conf, will retry Feb 28 20:25:48 dnsmasq[5458]: exiting on receipt of SIGTERM Feb 28 20:25:49 dnsmasq[5744]: started, version 2.75 cachesize 150 Feb 28 20:25:49 dnsmasq[5744]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify Feb 28 20:25:49 dnsmasq[5744]: no servers found in /var/run/dnsmasq/resolv.conf, will retry Feb 28 20:25:49 dnsmasq[5744]: read /etc/hosts - 8 addresses Feb 28 20:25:49 dnsmasq[5744]: reading /var/run/dnsmasq/resolv.conf Feb 28 20:25:49 dnsmasq[5744]: using nameserver 8.8.8.8#53 Feb 28 20:25:49 dnsmasq[5744]: using nameserver 8.8.4.4#53 Feb 28 20:27:40 dnsmasq[5744]: query[A] aaa.d.r4y.pw from 24.93.71.201 Feb 28 20:27:40 dnsmasq[5744]: config aaa.d.r4y.pw is 138.197.195.10
Conclusion
This was far easier to setup than I had previously imagined, and now I’m looking to take it even further.
Some of my next steps will be to add a service that will allow me to easily get out data. This will parse the log files, get the extracted data, and put them in a dashboard of sorts for me to easily access it.
Also, note that my original dnsmasq.conf file was slightly broken, and prevented my server from making any DNS requests of its own. I realized this once I was unable to hit any of my servers for an apt-get update/upgrade :P. The updated file (with DNS forwarding to non exfil related requests) is below.
listen-address=138.197.195.10 listen-address=127.0.0.1 address=/d.r4y.pw/138.197.195.10 server=/#/8.8.8.8 server=/#/8.8.4.4 no-resolv log-queries log-facility=/var/log/dnsmasq.log
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
