DNS tunneling, in my opinion, is the niftiest data exfiltration method there is. For those not familiar, check out Section 3 from SANS’s “Detecting DNS Tunneling” whitepaper here.
Our Mobile Application Practice Lead, Aaron Yaeger, recently taught me how easy it is to use Burp Collaborator for DNS tunneling. Exfiltrating data like that was a bit time consuming to do manually, so I set out to automate this task for use in all environments. I automated this task by creating an extension for Burp Suite using the built-in Burp Collaborator API, with a private Burp Collaborator server to parse incoming DNS requests and recreate the tunneled data. The two main ways to use this extension are:
Environments with Burp Suite
In this magical and unlikely environment, the tester has access to Burp Suite on both ends and this extension is installed. In that case the tester goes to the extension on their local box, starts the listening Collaborator instance, and enters the Burp Collaborator address and the data to be exfiltrated on the compromised box’s Burp instance (for full instructions see here).
Environments with Bill and Linus
However, on most compromised boxes there is no Burp Suite, but a scripting engine is usually available (Powershell/Bash). For these environments, I have written Bash and Powershell scripts to tunnel data to Collaborator. These scripts will base32 encode, chunk, and perform DNS queries with the data. The execution chain for a tester looks like this:
Copy over the tunneling script to the compromised box
Click “Start Listening” on the DNS Tunnel extension on the box they want to exfiltrate data to (take note of the Collaborator server address)
Start the script on the compromised box, copy in the Collaborator server address and filename to exfiltrate, and click go
After the data is sent click “Poll now” on the receiving machine and the data will be present
A demo starting at step 2 is below (click to enlarge):
This is the closest to point-and-shoot that I’ve seen for DNS tunneling, which makes me hope it will give pen testers access to a tool that might have been harder for them to access in the past. Another great alternative for tunneling is dnscat2, so definitely check that out to see if it fits your needs. Since I’m a big fan of blue teaming I’ll reference the article I posted at the beginning for Detecting DNS Tunneling by Greg Farnham. I should point out that this extension will only work with a private Burp Collaborator Server, as Burp Suite (rightly) doesn’t want their domain getting flagged as malicious when this extension sends hundreds of requests.
What is being released today is the 1st revision of this tool. Due to that, it means everything was done the way it popped into my head. If you think there are better ways things could be implemented please feel free to make a pull request or create an issue on Github.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.