/dns-exfilnspector

Automagically decode DNS Exfiltration queries to convert Blind RCE into proper RCE via Burp Collaborator

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

DNS-Exfilnspector

Automagically decode DNS Exfiltration queries to convert Blind RCE into proper RCE via Burp Collaborator

Requirements:

Burp Suite Professional Edition
Jython 2.7.3

How to install:

Install in Burp Suite

Reason this exists:

I was on an engagement where I couldn't send large payloads but I could upload a file and run it with some arguments but again, I was very restricted on length. I found a DNS exfiltrator tool, but I had to constantly change the Collaborator link or I had to manually copy and paste the DNS responses and decode them. I tried using the Collabfiltrator plugin but again, I encountered the same issues and it wasn't universally applicable enough for my needs. So I made my own universal DNS decoder.

Usage:

By default, the decoding is done from Base64. On the left side of the output box, you can choose the words that you are using to replace the Base64 special characters in your DNS exfiltration. By default, as it was tested with Ivan Šincek DNS Exfiltration tool, it will use eqls, slash and plus. image

You can also check the box at the top if you are doing DNS Exfiltration via HEX encoding. For testing with HEX DNS Exfiltration I have developed this tool:

At the click of a button, you can generate a Burp Collaborator link:
image

You also have a button to copy that link to your clipboard. After sending the payload to the Collaborator, the listener stops when it no longer detects interactions with the Collaborator and decodes the output and displays it automatically. Then the listener starts back up. This allows you to reuse the same Burp Collaborator link as many times as you want:

image

You can switch back and forth between Base64 and Hex while using the same Burp Collaborator link and it even supports receiving and decoding multiple lines. If like me, you forget to switch between encodings, it fails the decoding and reminds you to check.
image

I checked the box for base64 and reissued the command to exfiltrate and we get the output properly and automatically decoded:
image

If, at the end, you want to save the Raw or Decoded output, you have buttons on the right side to do so.
image

Clicking on the button opens a window for you to choose where to save the output, in what file and after you open said file, you'll see each RAW output on a new line, in the order they were received.
image

In the same fashion, you can save your Decoded output at the end of your session to store it locally:
image

Clicking on the Stop Listener button stops the Burp Collaborator from listening, but if you want to continue and use the same link, you can click on Continue Collaborator or if you wish to generate a new link, you can click on Get New Collaborator Link:
image

The Clear Output button is self explanatory helping you to clear the output box:
image

Special Thanks for inspiration to the creators of Collabfiltrator