2544 - Inspecting data exfiltration over DNS with NIOS Threat Insight

This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment (experimental) lab. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.

Scenario

As part of a security initiative, your organization is planning to use Infoblox’s Threat Insight to strengthen its DNS security posture. You are tasked to perform a DNS data exfiltration attack simulation to test your organization’s current security measures. You are using an internally developed data exfiltration simulation tool using the test domain dex.example.com. You will configure the DNS server to forward queries for this test domain’s authoritative server then start a simulated exfiltartion attempt over DNS. Capture the entire transaction to be included in your security assessment report.

Estimate Completion Time

• 20 to 30 Minutes

Credentials

Course References

• 2034: Data Exfiltration and NIOS Threat Insight

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Tasks

1. Configure a DNS forward zone on the Grid for data exfiltration.

2. Start traffic capture before data exfiltration.

3. Perform data exfiltration in the lab environment with the provided tools.

4. Analyze traffic capture results.

Task 1: Configure a DNS Forward Zone on the Grid for Data Exfiltration

Create a forward zone towards dex.example.com; the domain we will use to simulate the bad actor. Use the following settings:

• Name: dex.example.com

• Forward to Name Server: support-server.ad.techblue.net

• Name Server Address: 10.100.0.20

• Enable Option: Use Forwarders Only

• Member: ibns2.techblue.net

Task 2: Start Traffic Capture to Catch the Exfiltration Queries

• Start traffic capturing on the member ibns2.techblue.net.

Task 3: Start a DNS Data Exfiltration Attack

• On jump-desktop, open two terminal windows:

  • The first will be used to remote login to support-server using the command ssh training@10.100.0.20 and enter the command realtime-decode to decode and present the exfiltrated data as they are received in realtime.

  • The second will be used to start exfiltrating data from the victim (jump-desktop) towards the bad actor (dex.example.com) using the command analytics-test 10.200.0.105 .

Task 4: Observe and Analyze Data Capture Results

You may enter this filter into Wireshark to display only DNS traffic related to the IP address 10.200.0.105 (ibns2) for the domain dex.example.com:

dns and ip.addr == 10.200.0.105 and dns.qry.name contains dex.example.com

• Observe the exfiltrated data obtained by the bad actor support-server.

• Stop the traffic capture, download the captured file from ibns2 open the capture file with Wireshark and analyze the results.

Solutions

Task 1 Solution: Configure a DNS Forward Zone on the Grid for Data Exfiltration

we are setting up our grid to redirect traffic intended for dex.example.com or its subdomains to support-server.ad.techblue.net using the IP address 10.100.0.20 via a DNS Forward Zone. This configuration is part of a simulation of a DNS exfiltration attack, where the attacker uses the domain dex.example.com. Since dex.example.com is an internal domain owned by our organization for testing and simulation, it cannot be resolved using public DNS resolvers.

1. On the jump-desktop machine, open a browser window and surf https://10.100.0.100.

2. Click Data Management → DNS → Zones.

3. Click the plus (+) icon.

4. Select Forward Zone from the drop-down menu.

   

5. Select Add a forward forward-mapping zone and click next.

6. Enter dex.example.com as the zone's name and click next.

   

7. Click the Plus(+) icon.

8. add the name server support-server.ad.techblue.net with the IP address 10.100.0.20.

9. Check the checkbox for Use Forwarders Only and click next.

   

10. Select Use this set of name servers

11. Select ibns2.techblue.net from the list.

    

12. Click Save & Close.

13. Restart services when prompted.

14. Open a terminal window

15. Use the command dig @10.200.0.105 xyz.dex.example.com. A to verify the DNS forward zone was configured correctly.

    • The example below shows querying ibns2.techblue.net (10.200.0.105) for the A record of xyz.dex.example.com and getting a NOERROR response.

      

Task 2 Solution: Start Traffic Capture before Data Exfiltration

In this task, we are starting a packet capture on ibns2.techblue.net to catch the exfiltrated DNS queries heading towards dex.example.com.

1. Navigate to Grid → Grid Manager.

2. From the Toolbar, click Traffic Capture.

3. Click the Plus (+) icon to add ibns2.techblue.net in the Members section.

4. Click the Start icon in the Capture Control section to begin data capture.

   

Task 3 Solution: Start a DNS Data Exfiltration Attack

1. Examine the content of the data that we will exfiltrate out, using the command more /mnt/shared/Dex/Short-Analytics-Test-File.csv.

   

2. Open a terminal window and login to the support-server using the command ssh training@10.100.0.20 and the password infoblox.

3. Enter in the command realtime-decode.

   

4. Open a second terminal window and issue the data exfiltration command: analytics-test 10.200.0.105.

   • This exfiltrates the sample CSV file by querying the DNS server 10.200.0.105 (ibns2).

     

Task 4 Solution: Observe and Analyze Data Capture Results

You may enter this filter into Wireshark to display only DNS traffic related to the IP address 10.200.0.105 (ibns2) for the domain dex.example.com:

dns and ip.addr == 10.200.0.105 and dns.qry.name contains dex.example.com

In this task, we will start by observing the exfiltrated decoded data the bad actor support-server has received, then we will stop the traffic capture we started on the grid and analyze the traffic capture file.

1. Observe the terminal window running the exfiltration attack.

   • we should see the received response message which means that our bad actor support-server was able to receive our victims queries.

     

2. Observe the terminal window logged in to the support-server, check the output of the realtime-decode command.

   • we should be able to see decoded exfiltrated entries matching the data from the sample file we opened earlier.

     

3. On the Grid, click the stop icon, to stop the traffic capture.

   

4. Select the checkbox next to ibns2.techblue.net under Members.

5. Click the Download button and save the file.

   

6. Open the capture file with Wireshark and analyze the results.

   • Note the following IP addresses:

     • 10.35.22.10: The DNS client, jump-desktop.

     • 10.200.0.105: The recursive DNS server, ibns2.techblue.net

     • 10.100.0.20: The (malicious) authoritative DNS server for dex.example.com