Skip to main content
Skip table of contents

2544 - Inspecting data exfiltration over DNS with NIOS Threat Insight

Scenario

You are tasked with deploying Threat Insight within the organization’s security environment. Your Infoblox representative has provided short-term access to the Infoblox Data Exfiltration demo site (DEX), which has a tool you can use to check that the deployment is correctly configured and working. In this lab, you use the tool prior to configuring and enabling Threat Insight to observe data exfiltration over DNS. You may use traffic capture to observe the DNS traffic.

Course References

  • 2033: Data Exfiltration and NIOS Threat Insight

Estimate Completion Time

  • 30 to 40 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

  • Access to the Infoblox Data Exfiltration Demo site (DEX)

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Task 1: Start Traffic Capture on ibns1.techblue.net

  • Task 2: Log in to the Infoblox Data Exfiltration Demo site

  • Task 3: Select a file to transfer via Data Exfiltration

  • Task 4: View the Traffic Capture

  • Task 5: View the Transferred file

Task 1: Start Traffic Capture on ibns1.techblue.net

  • Start Traffic Capture on ibns1.techblue.net

Task 2: Log in to the Infoblox Data Exfiltration Demo site

  • In this task, you log into the Data Exfiltration Demo and navigate to the DNS Script Decoder tool. This is the tool you will use to perform Data Exfiltration.

Task 3: Select a file to transfer via Data Exfiltration

  • In this task, you transfer a file from your computer to the DEX platform and observe Data Exfiltration in process.

Task 4: View the Traffic Capture

  • In this task, you view the traffic captured during the exfiltration. The transfer shows the DNS Queries being made as part of the exfiltration. Wait until the file transfer is complete and then stop the traffic capture.

Task 5: View the Transferred file

  • In this task, you confirm that the transferred and re-assembled file is has the same content as the original file.

Solutions

Task 1 solution: Start Traffic Capture on ibns1.techblue.net

  • In this task, you start Traffic Capture on ibns1.techblue.net.

    1. Navigate to Grid → Grid Manager → Members.

    2. Select Traffic capture from the Toolbar

    3. Complete the Traffic Capture wizard

      1. Click the add (+) button and select member ibns1.techblue.net from the Member Selector pop-up window.

      2. Click the check box next to ibns1.techblue.net.

      3. Delete the Seconds to Run value.

      4. Select HA for the Interface.

      5. Leave the Transfer To value as My Computer.

    4. Click the Start (triangle) button to run Traffic Capture.

Task 2 solution: Log in to the Infoblox Data Exfiltration demo site

In this task, you log into the Data Exfiltration (DEX) demo and navigate to the DNS Script Decoder tool. This is the tool you will use to perform Data Exfiltration.

  1. Log in to the Infoblox Data Exfiltration Demo site using the link in the Learning Portal.

  2. Click the Terms and Conditions tab.

  3. Scroll down and click Accept Terms & Conditions.

  4. Click Accept.

  5. Select Data Exfiltration Tools from the list on the left-hand side.

Task 3 solution: Select a file to transfer via Data Exfiltration

  • In this task, you transfer a file from your computer to the DEX platform and observe Data Exfiltration in the process.

    1. Use the File Manager on the Jump Desktop to view the files in the/mnt/shared/nios-imports/Data-Exfiltration.

    2. Double-click on the Data-Exfiltration.csv file. Click OK in the Text Import window. You can see the file is a series of names, addresses, email addresses, credit card types, numbers, and passwords. This is the file you use for demonstrating Data Exfiltration. Close the file.

    3. Return to the browser tab for the Infoblox Data Exfiltration Tools → DNS Script Decoder.

    4. Click Select a file.

    5. Select the /mnt/shared/nios-imports/Data-Exfiltration folder. Choose the Data-Exfiltration.csv file to upload and Click Open.

    6. Type 10.100.0.105 in the DNS Server box. This is the IP Address of ibns1.techblue.net. This step ensures that we know exactly which Grid member to use for traffic capture. Click Generate a script.

    7. Highlight the Unix Shell script. Copy the script and paste into a terminal window on the Jump-Desktop.
      Note: You Need to edit the Script before using it by appending the full path of the Data-Exfiltration file, the full path of the file should be: /mnt/shared/nios-imports/Data-Exfiltration

    8. Press the Enter Key to start exfiltration and wait the transfer to complete.

If you wish to repeat the exfiltration for any reason you need to generate a fresh script.

Task 4 solution: View the Traffic Capture

You can stop the transfer at any time by refreshing the browser

  • In this task, you view the traffic captured during the exfiltration. The transfer shows the DNS Queries being made as part of the exfiltration. Wait until the file transfer is complete and then stop the traffic capture.

    1. Stop the Traffic Capture. Return to the Infoblox Grid manager tab in the browser. Click the Stop button.

    2. Select Member ibns1.techblue.net and click the Download button to download the Traffic Capture file. Close the window once the file is downloaded.

    3. Open the downloaded ibns1.techblue.net.tar.gz file.

    4. Right-click on the traffic.cap file in the zip folder.

    5. Select Open With…

    6. Choose Wireshark. It takes a few moments for the file to open.

    7. Use a display filter to view the records for data exfiltration. Type dns.qry.name contains <Indicator domain> in the Wireshark Filter box.
      e.g.: dns.qry.name contains mysicso.net

The domain names used by dex change frequently. You can see the domain name in the DNS responses when the script runs

Task 5 solution: View the Transferred file

  • In this task, you confirm that the transferred and re-assembled file has the same content as the original file.

    1. Return to the browser tab for the Data Exfiltration Demo Portal. Scroll up and click the Transferred Files/Messages tab.

    2. Notice the whole file has been received, zero chunks are lost. Click the file link.

    3. Click the downloaded file.

    4. Click OK in the Text Import window. The transferred file opens. The contents are exactly the same as the original file. Close the file.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close