Skip to main content
Skip table of contents

2561 - Exfiltrating Data over DNS

Scenario

You are performing data exfiltration as part of a security assessment exercise. Your security team has developed an internal data exfiltration tool that includes a client and a server, utilizing the test domain dex.example.com. Please configure the DNS server to foward queries for this test domain to the authoritative server that’s been configured to receive data, start the test client to exfiltrate data over DNS, and capture the entire transaction to included in your security assessment report.

Estimate Completion Time

  • 20 to 30 Minutes

Prerequisites

  • You must deploy the NIOS 9.0 lab environment.

Course References

  • 2034: Data Exfiltration and NIOS Threat Insight

  • 2213: Data Exfiltration with DNS

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

Make sure you deploy a NIOS 9.0 lab environment to proceed with this lab.

  1. Configure a DNS forward zone on the Grid for data exfiltration.

  2. Start traffic capture before data exfiltration.

  3. Perform data exfiltration in the lab environment with the provided tools.

  4. Analyze traffic capture results.

Task 1: Configure a DNS forward zone on the Grid for Data Exfiltration

Create a Forward Zone with the following settings:

  • Name: dex.example.com

  • Forward to Name Server: support-server.ad.techblue.net

  • Name Server Address: 10.100.0.20

  • Enable Option: Use Forwarders Only

  • Member: ibns2.techblue.net

Task 2: Start Traffic Capture before Data Exfiltration

  • On the Grid, start traffic capturing on the member ibns2.techblue.net.

Task 3: Perform and Verify Data Exfiltration

  • On the jump-desktop, open a new Terminal window and login to the support-server: ssh training@10.100.0.20. Type in the command realtime-decode. Leave it running.

  • Still on the jump-desktop, open a second Terminal window and issue the following command: analytics-test 10.200.0.105 to begin the client to exfiltrate data.

  • Switch to the first Terminal window that has the session to the support-server, check the output of the realtime-decode command.

Task 4: Analyze Data Capture Results

  • On the Grid, stop the traffic capture and download the captured file from ibns2.

  • Open the capture file with Wireshark and analyze the results.

You may enter this filter into Wireshark to display only DNS traffic related to the IP address 10.200.0.105 (ibns2) for the domain dex.example.com:

dns and ip.addr == 10.200.0.105 and dns.qry.name contains dex.example.com

This lab only provides instructions to exfiltrate data over DNS. If you want to see how it can be detected and stopped, use the instructions in Lab 2565.

Solutions

Task 1 Solution: Configure a DNS forward zone on the Grid for Data Exfiltration

  1. Click Data Management → DNS → Zones.

  2. Click the drop-down menu next to the Add (plus) symbol. Select Forward Zone from the drop-down menu.

2561-01-01.png

  1. In Step 2 of the wizard, enter dex.example.com as the zone's name.

2561-01-02.png

  1. In Step 3 of the wizard, add the name server support-server.ad.techblue.net with the IP address 10.100.0.20. Check the checkbox for Use Forwarders Only.

2561-01-03.png

  1. In step 4 of the wizard, select member ibns2.techblue.net. Click Save & Close.

2561-01-04.png

  1. (Optional) You may verify your DNS forward zone is setup correctly by querying for a random name in the dex.example.com domain and verifying the response. The example below shows querying ibns2 (10.200.0.105) for the A record of xyz.dex.example.com and getting a NOERROR response.

2561-01-05.png

Task 2 Solution: Start Traffic Capture before Data Exfiltration

  1. To start traffic capture, navigate to Grid → Grid Manager, from the Toolbar, click Traffic Capture.

  2. Use the Add (plus) button to add ibns2.techblue.net in the Members section. Click Start in the Capture Control to begin data capture.

2561-02-02.png

Task 3 Solution: Perform and Verify Data Exfiltration

  1. (Optional) On the jump-desktop, examine the content of the sample file /mnt/shared/Dex/Short-Analytics-Test-File.csv:

2561-03-01.png

  1. On the jump-desktop, open a new Terminal window and login to the support-server: ssh training@10.100.0.20. Type in the command realtime-decode. Leave it running. The SSH password is infoblox.

2561-02-03.png

  1. Still on the jump-desktop, open a second Terminal window and issue the data exfiltration command: analytics-test 10.200.0.105.
    This exfiltrates the sample CSV file by querying the DNS server 10.200.0.105 (ibns2). Observe this for a few seconds, you should see more entries being added to screen every 2-3 seconds, indicating data exfiltration has started. You should see the output on screen like this:

Screenshot_2024-11-13_08-25-23-20241113-082906.png

  1. Switch to the first Terminal window that has the session to the support-server, check the output of the realtime-decode command. It is helpful to have these two Terminal windows side-by-side for easy comparison. It should look like this:

2561-03-03.png

Task 4 Solution: Analyze Data Capture Results

  1. On the Grid, stop the traffic capture and download the captured file from ibns2. Tick the checkbox next to ibns2.techblue.net under Members. Click the Download button and save the file.

2561-04-01.png

  1. Open the capture file with Wireshark and analyze the results. Note the following IP addresses:

    1. 10.35.22.10: The DNS client, jump-desktop.

    2. 10.200.0.105: The recursive DNS server, ibns2.techblue.net

    3. 10.100.0.20: The (malicious) authoritative DNS server for dex.example.com

You may enter this filter into Wireshark to display only DNS traffic related to the IP address 10.200.0.105 (ibns2) for the domain dex.example.com:

dns and ip.addr == 10.200.0.105 and dns.qry.name contains dex.example.com

2561-04-02.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close