2544 - Inspecting data exfiltration over DNS with NIOS Threat Insight
Scenario
You are tasked with deploying Threat Insight within the organization’s security environment. Your Infoblox representative has provided short-term access to the Infoblox Data Exfiltration demo site (DEX), which has a tool you can use to check that the deployment is correctly configured and working. In this lab, you use the tool prior to configuring and enabling Threat Insight to observe data exfiltration over DNS. You may use traffic capture to observe the DNS traffic.
Course References
2033: Data Exfiltration and NIOS Threat Insight
Estimate Completion Time
30 to 40 minutes
Credentials
Description | Username | Password | URL or IP |
---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
Administrative access to the Grid
Access to the Infoblox Data Exfiltration Demo site (DEX)
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Start Traffic Capture on ibns1.techblue.net
Task 2: Log in to the Infoblox Data Exfiltration Demo site
Task 3: Select a file to transfer via Data Exfiltration
Task 4: View the Traffic Capture
Task 5: View the Transferred file
Task 1: Start Traffic Capture on ibns1.techblue.net
Start Traffic Capture on ibns1.techblue.net
Task 2: Log in to the Infoblox Data Exfiltration Demo site
In this task, you log into the Data Exfiltration Demo and navigate to the DNS Script Decoder tool. This is the tool you will use to perform Data Exfiltration.
Task 3: Select a file to transfer via Data Exfiltration
In this task, you transfer a file from your computer to the DEX platform and observe Data Exfiltration in process.
Task 4: View the Traffic Capture
In this task, you view the traffic captured during the exfiltration. The transfer shows the DNS Queries being made as part of the exfiltration. Wait until the file transfer is complete and then stop the traffic capture.
Task 5: View the Transferred file
In this task, you confirm that the transferred and re-assembled file is has the same content as the original file.
Solutions
Task 1 solution: Start Traffic Capture on ibns1.techblue.net
In this task, you start Traffic Capture on ibns1.techblue.net.
Navigate to Grid → Grid Manager → Members.
Select Traffic capture from the Toolbar
Complete the Traffic Capture wizard
Click the add (+) button and select member ibns1.techblue.net from the Member Selector pop-up window.
Click the check box next to ibns1.techblue.net.
Delete the Seconds to Run value.
Select HA for the Interface.
Leave the Transfer To value as My Computer.
Click the Start (triangle) button to run Traffic Capture.
Task 2 solution: Log in to the Infoblox Data Exfiltration demo site
In this task, you log into the Data Exfiltration (DEX) demo and navigate to the DNS Script Decoder tool. This is the tool you will use to perform Data Exfiltration.
Log in to the Infoblox Data Exfiltration Demo site using the link in the Learning Portal.
Click the Terms and Conditions tab.
Scroll down and click Accept Terms & Conditions.
Click Accept.
Select Data Exfiltration Tools from the list on the left-hand side.
Task 3 solution: Select a file to transfer via Data Exfiltration
In this task, you transfer a file from your computer to the DEX platform and observe Data Exfiltration in the process.
Use the File Manager on the Jump Desktop to view the files in the
/mnt/shared/nios-imports/Data-Exfiltration
.Double-click on the Data-Exfiltration.csv file. Click OK in the Text Import window. You can see the file is a series of names, addresses, email addresses, credit card types, numbers, and passwords. This is the file you use for demonstrating Data Exfiltration. Close the file.
Return to the browser tab for the Infoblox Data Exfiltration Tools → DNS Script Decoder.
Click Select a file.
Select the /mnt/shared/nios-imports/Data-Exfiltration folder. Choose the Data-Exfiltration.csv file to upload and Click Open.
Type 10.100.0.105 in the DNS Server box. This is the IP Address of ibns1.techblue.net. This step ensures that we know exactly which Grid member to use for traffic capture. Click Generate a script.
Highlight the Unix Shell script. Copy the script and paste into a terminal window on the Jump-Desktop.
Note: You Need to edit the Script before using it by appending the full path of the Data-Exfiltration file, the full path of the file should be:/mnt/shared/nios-imports/Data-Exfiltration
Press the Enter Key to start exfiltration and wait the transfer to complete.
If you wish to repeat the exfiltration for any reason you need to generate a fresh script.
Task 4 solution: View the Traffic Capture
You can stop the transfer at any time by refreshing the browser
In this task, you view the traffic captured during the exfiltration. The transfer shows the DNS Queries being made as part of the exfiltration. Wait until the file transfer is complete and then stop the traffic capture.
Stop the Traffic Capture. Return to the Infoblox Grid manager tab in the browser. Click the Stop button.
Select Member ibns1.techblue.net and click the Download button to download the Traffic Capture file. Close the window once the file is downloaded.
Open the downloaded ibns1.techblue.net.tar.gz file.
Right-click on the traffic.cap file in the zip folder.
Select Open With…
Choose Wireshark. It takes a few moments for the file to open.
Use a display filter to view the records for data exfiltration. Type dns.qry.name contains <Indicator domain> in the Wireshark Filter box.
e.g.:dns.qry.name contains mysicso.net
The domain names used by dex change frequently. You can see the domain name in the DNS responses when the script runs
Task 5 solution: View the Transferred file
In this task, you confirm that the transferred and re-assembled file has the same content as the original file.
Return to the browser tab for the Data Exfiltration Demo Portal. Scroll up and click the Transferred Files/Messages tab.
Notice the whole file has been received, zero chunks are lost. Click the file link.
Click the downloaded file.
Click OK in the Text Import window. The transferred file opens. The contents are exactly the same as the original file. Close the file.