DNS Exfiltration with Dnsmasq; easy as 1, 2, 3!

I realized that I needed a server for DNS exfiltration, so I finally set one up.

For those of unfamiliar with the topic, DNS Exfiltration is handy for blind SQL injection, bypassing captive portals, and general network exfiltration.

DNS Record

First, I setup a name server for a subdomain on my host. This would allow my host to act as the authoritative name server for any requests to that subdomain. For example, in this case, ANYTHING.d.r4y.pw would be resolved by 138.197.195.10.

DNS Exfiltration - Nameserver

Dnsmasq Installation

Once I completed the record, and after it propagated out, I installed Dnsmasq on my public server.

root@r4y-01:~# apt-get install Dnsmasq

Dnsmasq Configuration

After I finished installing Dnsmasq, I configured it to listen on my public IP, and return that same IP for any queries made to the server. This configuration would allow me to make a request to my newly configured name server, and get back a proper IP address. Additionally, I configured logging so that I could actually get the data out.

root@r4y-01:~# tail -5 /etc/dnsmasq.conf

listen-address=138.197.195.10
address=/#/138.197.195.10
log-queries
log-facility=/var/log/dnsmasq.log

Testing

Finally, after I had everything setup and configured, it was time to test the server.

To do so, I pinged a fake subdomain, and got a proper response back.

DNS Exfiltration - Ping

Once I completed the ping, I checked the Dnsmasq logs to make sure that the server had logged the “data”.

root@r4y-01:~# tail -f /var/log/dnsmasq.log
Feb 28 20:24:39 dnsmasq[5606]: Ignoring query from non-local network
Feb 28 20:25:48 dnsmasq[5458]: no servers found in /var/run/dnsmasq/resolv.conf, will retry
Feb 28 20:25:48 dnsmasq[5458]: exiting on receipt of SIGTERM
Feb 28 20:25:49 dnsmasq[5744]: started, version 2.75 cachesize 150
Feb 28 20:25:49 dnsmasq[5744]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Feb 28 20:25:49 dnsmasq[5744]: no servers found in /var/run/dnsmasq/resolv.conf, will retry
Feb 28 20:25:49 dnsmasq[5744]: read /etc/hosts - 8 addresses
Feb 28 20:25:49 dnsmasq[5744]: reading /var/run/dnsmasq/resolv.conf
Feb 28 20:25:49 dnsmasq[5744]: using nameserver 8.8.8.8#53
Feb 28 20:25:49 dnsmasq[5744]: using nameserver 8.8.4.4#53
Feb 28 20:27:40 dnsmasq[5744]: query[A] aaa.d.r4y.pw from 24.93.71.201
Feb 28 20:27:40 dnsmasq[5744]: config aaa.d.r4y.pw is 138.197.195.10

Conclusion

This was far easier to setup than I had previously imagined, and now I’m looking to take it even further.

Some of my next steps will be to add a service that will allow me to easily get out data. This will parse the log files, get the extracted data, and put them in a dashboard of sorts for me to easily access it.

Also, note that my original dnsmasq.conf file was slightly broken, and prevented my server from making any DNS requests of its own. I realized this once I was unable to hit any of my servers for an apt-get update/upgrade :P. The updated file (with DNS forwarding to non exfil related requests) is below.

listen-address=138.197.195.10
listen-address=127.0.0.1
address=/d.r4y.pw/138.197.195.10
server=/#/8.8.8.8
server=/#/8.8.4.4
no-resolv
log-queries
log-facility=/var/log/dnsmasq.log
doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*