I realized that I needed a server for DNS exfiltration, so I finally set one up.
For those of unfamiliar with the topic, DNS Exfiltration is handy for blind SQL injection, bypassing captive portals, and general network exfiltration.
First, I setup a name server for a subdomain on my host. This would allow my host to act as the authoritative name server for any requests to that subdomain. For example, in this case, ANYTHING.d.r4y.pw would be resolved by 220.127.116.11.
Once I completed the record, and after it propagated out, I installed Dnsmasq on my public server.
root@r4y-ubuntu-512mb-sfo2-01:~# apt-get install Dnsmasq
After I finished installing Dnsmasq, I configured it to listen on my public IP, and return that same IP for any queries made to the server. This configuration would allow me to make a request to my newly configured name server, and get back a proper IP address. Additionally, I configured logging so that I could actually get the data out.
root@r4y-ubuntu-512mb-sfo2-01:~# tail -5 /etc/dnsmasq.conf listen-address=18.104.22.168 address=/#/22.214.171.124 log-queries log-facility=/var/log/dnsmasq.log
Finally, after I had everything setup and configured, it was time to test the server.
To do so, I pinged a fake subdomain, and got a proper response back.
Once I completed the ping, I checked the Dnsmasq logs to make sure that the server had logged the “data”.
root@r4y-ubuntu-512mb-sfo2-01:~# tail -f /var/log/dnsmasq.log Feb 28 20:24:39 dnsmasq: Ignoring query from non-local network Feb 28 20:25:48 dnsmasq: no servers found in /var/run/dnsmasq/resolv.conf, will retry Feb 28 20:25:48 dnsmasq: exiting on receipt of SIGTERM Feb 28 20:25:49 dnsmasq: started, version 2.75 cachesize 150 Feb 28 20:25:49 dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify Feb 28 20:25:49 dnsmasq: no servers found in /var/run/dnsmasq/resolv.conf, will retry Feb 28 20:25:49 dnsmasq: read /etc/hosts - 8 addresses Feb 28 20:25:49 dnsmasq: reading /var/run/dnsmasq/resolv.conf Feb 28 20:25:49 dnsmasq: using nameserver 126.96.36.199#53 Feb 28 20:25:49 dnsmasq: using nameserver 188.8.131.52#53 Feb 28 20:27:40 dnsmasq: query[A] aaa.d.r4y.pw from 184.108.40.206 Feb 28 20:27:40 dnsmasq: config aaa.d.r4y.pw is 220.127.116.11
This was far easier to setup than I had previously imagined, and now I’m looking to take it even further.
Some of my next steps will be to add a service that will allow me to easily get out data. This will parse the log files, get the extracted data, and put them in a dashboard of sorts for me to easily access it.
Also, note that my original dnsmasq.conf file was slightly broken, and prevented my server from making any DNS requests of its own. I realized this once I was unable to hit any of my servers for an apt-get update/upgrade :P. The updated file (with DNS forwarding to non exfil related requests) is below.
listen-address=18.104.22.168 listen-address=127.0.0.1 address=/d.r4y.pw/22.214.171.124 server=/#/126.96.36.199 server=/#/188.8.131.52 no-resolv log-queries log-facility=/var/log/dnsmasq.log