I remember many years ago reading about smuggling data inside DNS packets. Software must be run on the host computer, and the receiving DNS server must be running the extractor, but once the host to server connection is made, the Internet can be used with no obvious signs of data transfer other than DNS
See my video on DNS exfiltration for the same concept. The nice thing is you can use built in dns clients in each os to send the queries along with simple script, and the remote end does not have to be a DNS server just have a packet capture tool running
This is a totally different route that I didn't think about when I commented on the last video. Pretty cool poc, luckily we have policy setup so that powershell requires elevated access to run and or has to be ran by a trusted process that already has elevated privilege. Would be cool to see if this could be done completely using vbs, js and or batch scripting. Quick note: -ExecutionPolicy Bypass does not allow our end users to bypass our policy to run PS1. It still ask end users for elevated access. You can restrict end users access to powershell through group policy, wdac and or applocker.
there is a way to do this using the Windows ICMP API which does not require any admin privileges, i assume that's because it was created so that higher-level applications don't need admin privileges to run if they need to send ICMP packets.
@@sido6587 I'm all ears, would be interesting to see. Didn't know this but the corp I work for already deny outbound ping. Can only ping internal servers and DNS
i'm currently theorising a way to do this without using powershell and without requiring any admin privileges. if anyone is interested, i can drop a link to the repo as soon as i have a good proof of concept ready
I would do a binary xfer where 1 desgnates 0 and the following packet would be the amount of 0 in line then 111 followed by number of 1 in a row or something simular this would alow a bunch more data in a faster rate basically the same as what you are doing but ina binary format
How would you ping something and reach a pc inside another network? Would you not just ping the router an be dropped? Windows drops icmp calls if I'm right.
You’d either need to setup a NAT translation from your outside firewall to an inside PC (also known as port forwarding), or capture from the firewall itself like I do using tcpdump here.
Brilliant idea! Thanks for sharing! :)
Thank you! Cheers!
I remember many years ago reading about smuggling data inside DNS packets. Software must be run on the host computer, and the receiving DNS server must be running the extractor, but once the host to server connection is made, the Internet can be used with no obvious signs of data transfer other than DNS
See my video on DNS exfiltration for the same concept. The nice thing is you can use built in dns clients in each os to send the queries along with simple script, and the remote end does not have to be a DNS server just have a packet capture tool running
This is a totally different route that I didn't think about when I commented on the last video. Pretty cool poc, luckily we have policy setup so that powershell requires elevated access to run and or has to be ran by a trusted process that already has elevated privilege. Would be cool to see if this could be done completely using vbs, js and or batch scripting.
Quick note: -ExecutionPolicy Bypass does not allow our end users to bypass our policy to run PS1. It still ask end users for elevated access. You can restrict end users access to powershell through group policy, wdac and or applocker.
Yeah this still does require PS but I’ve seen large enterprises who overlook it and allow users to create and run them
there is a way to do this using the Windows ICMP API which does not require any admin privileges, i assume that's because it was created so that higher-level applications don't need admin privileges to run if they need to send ICMP packets.
@@sido6587 I'm all ears, would be interesting to see. Didn't know this but the corp I work for already deny outbound ping. Can only ping internal servers and DNS
Do they allow outbound DNS?
i'm currently theorising a way to do this without using powershell and without requiring any admin privileges. if anyone is interested, i can drop a link to the repo as soon as i have a good proof of concept ready
Would love to see it, you should join the discord and share
@@plaintextpackets could i get a link to that discord? Edit: found it, my bad
Could you use this slower variable length method on Linux to avoid the sudo requirement for changing the data content?
Absolutely it would also likely be easier to script in bash
I feel like a wizard after getting this working. Look out World I'm deadly and dangerous (to myself only )
Nice! Glad it works for you!
Very cool.
Awesome stuff! Good work
I would do a binary xfer where 1 desgnates 0 and the following packet would be the amount of 0 in line then 111 followed by number of 1 in a row or something simular this would alow a bunch more data in a faster rate basically the same as what you are doing but ina binary format
I was thinking about that, you’re right you could probably use a more advanced encoding scheme to increase the effective bitrate
How would you ping something and reach a pc inside another network? Would you not just ping the router an be dropped? Windows drops icmp calls if I'm right.
Or would you need to host something with a public ip in order to be able to receive the data
You’d either need to setup a NAT translation from your outside firewall to an inside PC (also known as port forwarding), or capture from the firewall itself like I do using tcpdump here.
DNS can be used for tunneling
Yep!
My Thumbs up didn't register...?