Soldier

Regular
Joined
20.10.20
Messages
88
Reaction score
727
Points
83
Two-thirds of information leaks are not due to malice. Otherwise, these are intentional actions of cybercriminals, employees of the organization or its contractors. If we have a blind execution of a command on a server where all outgoing connections are blocked, except for DNS, a bash script called Procrustes will come to the rescue, which automates exfiltration (sending out) of data via DNS.


What is data exfiltration?

Data exfiltration is a process during which an attacker extracts sensitive data from another computer's system and uses it for personal purposes. Since data exfiltration is simply a transmission of data over a network, it is difficult to detect. Every organization deals with the processing of sensitive data, which makes data exfiltration attacks quite attractive to hackers.

Data exfiltration can be performed both internally and remotely. An internal threat is posed by employees who sell secret company data for profit or accidentally distribute it, while an external threat is a cybercriminal who uses a certain vulnerability to enter the system and then steal the data.


Exfiltering DNS data

As we already know, DNS is an independent query processing protocol, that is, it was never intended to send or receive data from a client to a server. Even so, the authorized DNS will assume that all requests sent to it are legitimate. And this fact is very often used by cybercriminals: if a request were made to a subdomain, then this request would be processed as data only if it was built correctly.

For example, a crook sends a request to example.target.com and the DNS target.com receives "example" as a string. It will treat the specified string as data, and this will allow access to target.com. Further, this allows an attacker to set up a covert channel using a C2 server between DNS and the client and receive all data using bi-directional communication. Manipulating DNS in such a way as to obtain sensitive data is called exfiltering DNS data.

When data is transferred from one system to another without any direct connection, and this data transfer is done over the DNS protocol, it is called exfiltration of DNS data.


Detection

Because a DNS exfiltration attack is covert and data travels over the network, it is very difficult to detect. Therefore, in order to detect this attack, it is necessary to regularly analyze network traffic. In order to detect these types of attacks, the user should focus on the processes that use the network, or on the processes that are unusual for the system.

In addition, you need to carefully analyze the network packets and check their behavior for any anomalies. For example, if a client sends more data than it receives, this is suspicious. To detect such attacks, you should also look for fixed-size data packets that are transmitted over a long-term connection.


Procrustes script

For its operations, the script takes as input the command that we want to run on the target server, and at the output displays filtered DNS queries from the server with the output of the specified command.

The script currently supports sh, bash, and powershell, and is exec-style compatible (for example, java.lang.Runtime.exec).

For its operations, the script takes as input the command we want to run on the target server and transforms it to match the target wrapper so that its output can be sent via DNS. After conversion, the command goes to the "dispatcher".

A dispatcher is a user-provided program that is responsible for entering a command and executing it on the target server by any means necessary (for example, by exploiting a vulnerability).

After executing the command on the target server, it is expected that it will trigger DNS queries to our DNS server containing chunks of our data. The script listens for these requests until the output of the user-supplied command is completely removed.

More details on the tool can be found on its GitHub page.
 
Top Bottom