PacketWhisper – Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, with out the necessity for attacker-managed Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file kind (e.g. executables, Office, Zip, pictures) into an inventory of Fully Qualified Domain Names (FQDNs), use DNS queries to switch knowledge. Simple but extraordinarily efficient.
Joe Gervais (TryCatchHCF)
Traditional DNS exfiltration depends on one of many following: DNS tunneling; Hiding knowledge in DNS question fields; or Encoded / encrypted payloads which are damaged up and used as subdomains within the DNS question. All of those strategies require that the attacker management a website and/or an related DNS Name Server to obtain the info, which ends up in attribution. Those approaches are additionally susceptible to DNS Name Server blacklisting (frequent) and whitelisting (more and more frequent). Another drawback is that DFIR analysts are conversant in these strategies, and SIEM programs will usually detect and alert on seeing them.
PacketWhisper overcomes these limitations.
What if knowledge might be transferred utilizing the goal’s personal whitelisted DNS servers, with out the speaking programs ever immediately connecting to one another or to a typical endpoint? Even if the community boundary employed knowledge whitelisting to dam knowledge exfiltration?
How It Works
To obtain the info, you seize the community visitors containing the DNS queries, utilizing no matter technique is most handy for you. (See “Capturing The PCAP File” under for examples of seize factors.) You then load the captured PCAP file into PacketWhisper (operating on no matter system is handy), which extracts the payload from the file and Decloakifies it into its authentic kind.
DNS is a horny protocol to make use of as a result of, despite the fact that it is a comparatively sluggish technique of transferring knowledge, DNS is nearly all the time allowed throughout community boundaries, even on essentially the most delicate networks.
Important word: We’re utilizing DNS queries to switch the info, not profitable DNS lookups. PacketWhisper by no means must efficiently resolve any of its DNS queries. In truth PacketWhisper does not even have a look at the DNS responses. This expands our use circumstances, and underscores the truth that we by no means want to regulate a website we’re querying for, by no means want to regulate a DNS Name Server dealing with DNS requests.
So utilizing PacketWhisper, we rework a payload that appears like this:
Into an inventory of FQDNs like this:
Which PacketWhisper turns into DNS queries that present up in community visitors like this:
Which you seize as a PCAP file wherever alongside the DNS decision path, after which load that PCAP into your native copy of PacketWhisper to get well the payload:
I’ve included a pattern PCAP file within the challenge (cleverly named “sample.pcap”) that incorporates separate payloads for every of the ciphers. They might have been any filetype, after all, however on this case I simply transmitted textual content information into the PCAP. Load it up in PacketWhisper and provides it a strive!
- Python 2.7.x (3.6.x port is underway)
- For decoding payloads: tcpdump (included on Linux & MacOS) or WinDump (Windows)
Question: “Why didn’t you use Scapy or dnspython toolset?”
Answer: I hate challenge dependencies in my operational instruments. I preserve my initiatives as atomic, self-contained as potential for max reliability, particularly on the shopper facet the place I could not management the setting and/or have minimal privileges. The approach PacketWhisper is structured, I can get it operating on a restricted shell host simply by tar’ing up the challenge and extracting on the goal host.
Question: “Why isn’t PacketWhisper a project fork of Cloakify Toolset?”
Answer: Same reply as above. We solely want a really particular subset of Cloakify’s capabilities, and including every little thing else to PacketWhisper would simply result in a cluttered listing and instruments/ciphers that may’t be utilized by PacketWhisper. Since I personal each initiatives, I promise to synchronize any adjustments between the 2.
$ python packetWhisper.py
FQDN-based mostly ciphers consist of three classes:
- Unique Random Subdomain FQDNs (Recommended – avoids DNS caching, overcomes NAT)
- Unique Repeating FQDNs (DNS could cache, however overcomes NAT)
- Common Website FQDNs (DNS caching could block, NAT interferes)
Unique Random Subdomain FQDNs
RECOMMENDED CIPHER MODE FOR MOST USE CASES
These are FQDNs with randomized parts constructed into the subdomains. This helps forestall DNS caching, whereas additionally permitting us to switch knowledge past a NAT’d community units which may be alongside the DNS question path. Since the sending system’s IP deal with is not obtainable past the NAT machine, the cipher-generated subdomains comprise distinctive tag parts to assist us establish PacketWhisper payloads within the packet seize.
These ciphers mimic the codecs of assorted companies that depend on complicated subdomains as a method to establish a session, consumer, cached content material and many others. This method helps PacketWhisper’s DNS queries mix in with the remainder of the community’s visitors.
The first a part of the subdomain identify is definitely a string from the cipher listing. The remainder of the subdomain identify is randomized to make every FQDN distinctive, which prevents DNS caching from shutting down the DNS question path prematurely. We then add the area identify. We assemble the FQDNs this solution to appear like the standard FQDNs related to the chosen area, to mix in higher with regular webtraffic seen on any community.
Unique Repeating FQDNs
Created to face out from all different DNS queries on the community, however with none randomization concerned. This signifies that DNS caching could intrude, however as a facet profit your DNS queries can be simple so that you can discover even within the largest assortment of multi-shopper pcaps. This is because of the truth that the FQDNs are odd endpoints, just like the listing of “Johns” (Red Lectroid aliens) on the fictional Yoyodyne Propulsion Systems from the film ‘Buckaroo Banzai Across the eighth Dimension’.
Common Website FQDNs
These are FQDNs constructed out of frequent Website URLs.
NOTE: Since most environments are NAT’d on the perimeter (eradicating visibility of shopper’s IP deal with), this mode is usually solely helpful for transferring knowledge between programs related to the identical native /24 community (for instance, the visitor wifi at your favourite espresso store).
Since Common Website ciphers solely have the supply IP deal with as a solution to distinguish its queries from all the opposite comparable DNS queries on the community, PacketWhisper will transmit a novel “knock sequence” DNS question at starting and finish of the payload, which helps us pick the transmitting host from the pcap file later.
Transmitting the Cloakified Payload
Once you’ve got chosen a cipher, PacketWhisper encodes (Cloakifies) the payload into an inventory of FQDN strings per the specified cipher. It then sequentially generates DNS requests to ship the info alongside the DNS decision path. PacketWhisper provides a small delay between every DNS question, which helps forestall out-of-order DNS requests.
Capturing the PCAP File
The key ingredient right here is after all having the ability to seize the community visitors containing the DNS queries that PacketWhisper generated. There are quite a lot of choices, because you solely have to be someplace, wherever, with visibility to the DNS question path.
Example Points of Capture:
- Connected to the identical native community (e.g. your native espresso store)
- Systems and units which are inside to the group
- Perimeter community home equipment
- Network infrastructure exterior of the group
- Network faucet wherever alongside the question path
Use your creativeness. Any machine alongside the DNS decision path is an possibility, together with wall shows. “Wait, what?”
Extracting The Payload
Important word: Within the identical PCAP, you may transmit one payload per cipher used. A PCAP containing a couple of payload utilizing the identical cipher will trigger issues. For instance my provided ‘instance.pcap’ file incorporates 5 payloads, one for every of the operational ciphers at present obtainable. If one of many payloads had used the identical cipher as one other one, PacketWhisper will fail to extract both of them. The simple repair is to interrupt up the PCAP file (that is why the PacketWhisper transmit code prints out the UTC date-time when beginning and ending transmission). I’m engaged on permitting a number of payloads utilizing the identical cipher, answer is already in place, I simply have to get round to it.
Limitations / Use Notes
Be certain your PCAP file is definitely PCAP format. If you used tcpdump or WinDump to seize the file you will be high quality. Wireshark nonetheless provides all kinds of “Save As…” choices for saving Wireshark visitors, solely one in all which is definitely tcpdump/PCAP pleasant. I’m engaged on higher error reporting to assist catch errors early.
Not a safe encryption scheme. PacketWhisper just isn’t a safe encryption scheme. It’s susceptible to frequency evaluation assaults. Use the ‘Unique Random Subdomain FQDNs’ class of ciphers so as to add entropy and assist degrade frequency evaluation assaults. If payload secrecy is required, make sure you encrypt the payload earlier than utilizing PacketWhisper to course of it.
Not a excessive-bandwidth switch technique. PacketWhisper depends on DNS queries, that are UDP-based mostly, that means order of supply (and even profitable supply) of the request just isn’t assured. PacketWhisper by default provides a small (half-second) delay between every DNS question. You can safely switch payloads at a charge of about 7.2K per hour (120 bytes per minute). That’s based mostly on the dimensions of the unique payload, not the Cloakified output file. You can go for no delay between between queries, which dramatically hastens the switch however on the threat of elevated community noise and corrupted payload.
DNS is DNS. Different OS’s have completely different DNS caching insurance policies, and many others. Networks could also be down, remoted, and many others. PacketWhisper features a fast handbook verify to see if it may well resolve frequent FQDNs, however DNS is usually a messy enterprise. Remember the previous IT troubleshooting mantra: “It’s always DNS.”
Detection / Prevention
See the DEF CON 26 slides (included in challenge) from my Packet Hacking Village presentation. Mitigation methods are coated towards the top of the presentation. As in all issues, “Security In Depth” is your pal, particularly since DNS decision paths span huge quantities of terrain which are exterior of your group’s management.