search

Arno0x / DNSExfiltrator

Data exfiltration over DNS request covert channel
837 stars 180 forks source link

dnsexfiltator.py stops at line 156 #1

Closed Tinydile closed 6 years ago

Tinydile commented 6 years ago

Hello, thank you for your fantastic work! I found sometimes the server dies, and believed that it is because of recieving bogus DNS data such as:

[1] DNS requests which generated from others [2] Duplicated DNS record

For example, I saw the following:

# ./dnsexfiltrator.py -d ****** -p ******
[*] DNS server listening on port 53
[+] Received query: [init.RE5TRXhmaWwudHh0fDU.******.net.] - Type: [16]
[+] Receiving file [DNSExfil.txt] as a ZIP file in [5] chunks
[+] Received query: [ns2.******.net.] - Type: [28]
[!] Stopping DNS Server
Traceback (most recent call last):
  File "./dnsexfiltrator.py", line 156, in <module>
    chunkNumber, rawData = msg.split('.',1)
ValueError: need more than 1 value to unpack
# ./dnsexfiltrator.py -d ****** -p ******
[*] DNS server listening on port 53
[+] Received query: [69.nyXdZj07A7zOWKcGeITueGkSvETv4CReY6tVOJLELarJlE4Lcs.******.net.] - Type: [16]
[!] Stopping DNS Server
Traceback (most recent call last):
  File "./dnsexfiltrator.py", line 173, in <module>
    if chunkIndex == nbChunks:
NameError: name 'nbChunks' is not defined

The tcpdump is here:

09:08:00.560297 IP 54.***.***.196.49148 > 172.***.***.88.53: 464% [1au] AAAA? ns1.******.net. (54)
09:08:00.560314 IP 54.***.***.196.18018 > 172.***.***.88.53: 33279% [1au] AAAA? ns2.******.net. (54)
09:08:00.563451 IP 52.***.***.101.22503 > 172.***.***.88.53: 39347% [1au] AAAA? ns1.******.net. (54)
09:08:00.563464 IP 52.***.***.101.16777 > 172.***.***.88.53: 23126% [1au] AAAA? ns2.******.net. (54)
09:08:00.563546 IP 52.***.***.101.13240 > 172.***.***.88.53: 27581% [1au] TXT? 0.S6GMbKdnhmKG72XDoUUIHNeWeHCAjxYZzICr9YNGDK55zXd-Q6gUwsoTpFBN8Bo.KtcPvGtNqHw3D8CA93Gubwldn2xYZ_IIRqib-qDBcL2uDB43ZBEvLfrQLb2Ll0e.2gsfvaPbZD6XrKVmgI8lfcHC-eAR1mFNSN62LiaF7KRjAE-L3Q6FmeoCu3a56Ji.FIZKR-KMGj1Zttm7NlepW5zURsfU3.******.net. (274)
09:08:00.571530 IP 54.***.***.207.19137 > 172.***.***.88.53: 43369% [1au] AAAA? ns2.******.net. (54)
09:08:00.577745 IP 13.***.***.85.59518 > 172.***.***.88.53: 54284% [1au] TXT? 0.S6GMbKdnhmKG72XDoUUIHNeWeHCAjxYZzICr9YNGDK55zXd-Q6gUwsoTpFBN8Bo.KtcPvGtNqHw3D8CA93Gubwldn2xYZ_IIRqib-qDBcL2uDB43ZBEvLfrQLb2Ll0e.2gsfvaPbZD6XrKVmgI8lfcHC-eAR1mFNSN62LiaF7KRjAE-L3Q6FmeoCu3a56Ji.FIZKR-KMGj1Zttm7NlepW5zURsfU3.******.net. (274)
09:08:00.717056 IP 13.***.***.172.49485 > 172.***.***.88.53: 28854% AAAA? ns2.******.net. (43)
09:08:00.717087 IP 13.***.***.172.64431 > 172.***.***.88.53: 12666% AAAA? ns1.******.net. (43)
^C

In the case, the DNS records start with "ns1" and "ns2" seem to trigger the error. So I added the following:

136       if qname.startswith("ns"):
137         continue
138

But it should not enough ...

Arno0x commented 6 years ago

Hi, You are right, the DNS server side expects to receive only requests from the DNSExfiltrator client side with the appropriate type and formatting.

I will add some further verification on the request type before handling it.

Stay tuned.

Arno0x commented 6 years ago

Just pushed a version with type verification prior to handling the request.

Though I admit there should be more checks on the format of the request received, just in case the script receives a TXT request (QType=16) from another client, not properly formatted. I'll do that later, no time today.

Tinydile commented 6 years ago

Hi, thank you for your quick action. Yes, this time it looks work well so far. Thanks!