Skip to main content
Skip table of contents

2565 - Intercepting Data Exfiltration over DNS with Threat Insight

Scenario

After proving that data exfiltration over DNS can be successfully performed on your existing infrastructure, your team has implemented Infoblox NIOS Threat Insight to detect and stop such attacks. Please configure NIOS to detect and block, then use the same tools from Lab 2561 to perform the same data exfiltration. Collect data to show that this attack is now stopped by the Infoblox DNS server.

Estimate Completion Time

  • 20 to 30 Minutes

Prerequisites

  • You must deploy the NIOS 9.0 lab environment.

  • (Optional) Complete Lab 2561 - Performing Data Exfiltration over DNS

Course References

  • 2034: Data Exfiltration and NIOS Threat Insight

  • 2213: Data Exfiltration with DNS

Lab Initiation

If you have just completed Lab 2561: Exfiltrating Data over DNS, you can skip the Lab Initiation section and proceed directly with the Tasks.

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  1. Load RPZ and Threat Insight licenses on the Grid.

  2. Configure RPZ and Start the Threat Insight service.

  3. Start traffic capture and clear the DNS Cache before data exfiltration.

  4. Perform data exfiltration in the lab environment with the provided tools.

  5. Analyze traffic capture results.

Task 1: Load RPZ and Threat Insight Licenses on the Grid

  • On the jump-desktop virtual machine, open a browser to log in to the GM 10.100.0.100.

  • Load licenses from the folder /mnt/shared/licenses/9.0/ and load RPZ.lic and TI.lic.

Task 2: Create Mitigation RPZ and Start the Threat Insight/Threat Analytics Service

Depending on the exact version of NIOS you have, the Threat Insight service may appear to be either Threat Insight or Threat Analytics. They just appear with a different name in the user interface. They are otherwise completely identical.

  • Create a local RPZ named mitigzation.rpz.

  • Add this local RPZ to the Threat Insight/Threat Analytics configuration.

  • Start the Threat Insight/Threat Analytics service on the Grid.

Task 3: Start Traffic Capture and Clear DNS Cache before Data Exfiltration

  • Flush the DNS cache on ibns2 (10.200.0.105) from the Grid Manager UI.

  • Start traffic capturing on the member ibns2.techblue.net.

Task 4: Perform and Verify Data Exfiltration

  • On the jump-desktop, open a new Terminal window and login to the support-server: ssh training@10.100.0.20. Type in the command realtime-decode. Leave it running.

  • Still on the jump-desktop, open a second Terminal window and issue the following command: analytics-test 10.200.0.105 to begin the client to exfiltrate data.

  • Switch to the first Terminal window that has the session to the support-server, check the output of the realtime-decode command.

Task 5: Analyze Data Capture Results

  • On the Grid, stop the traffic capture and download the captured file from ibns2.

  • Open the capture file with Wireshark and analyze the results.

Solutions

Task 1 Solution: Load RPZ and Threat Insight Licenses on the Grid

  1. On the jump-desktop virtual machine, open a browser to log in to the GM 10.100.0.100.

  2. Click Grid → Licenses and click the Add (plus) symbol to add a new license.

  3. Navigate to the license folder /mnt/shared/licenses/9.0/ and load the licenses RPZ.lic and TI.lic.

    1. Click Shared Drive on the left of the window to navigate to the licenses directory.

Screenshot_2024-11-14_09-35-17-20241114-093751.png

b. After selecting the license file, scroll down to reveal the Verify License(s) button and click it to apply the license file.

2565-02-03.png

Task 2 Solution: Create Mitigation RPZ and Start the Threat Analytics Service

  1. Create a local RPZ (Response Policy Zone) named mitigation.rpz.

    1. Navigate to Data Management → DNS → Response Policy Zones, click Add (plus)

    2. Click next to create a new Local Response Policy Zone.

2565-03-01.png

b. Enter the name mitigation.rpz. Leave everything else at default values and click Next.

2565-03-02.png

c. Choose the Grid Primary name server ibns2.techblue.net. Click Save & Close.

2565-03-03.png

d. You can verify that the newly created RPZ is placed at the very top of the list, before all other policies.

2565-03-04.png

  1. Configure the Threat Insight/Threat Analytics service to use this newly created RPZ.

Depending on the exact version of NIOS you have, the Threat Insight service may appear to be either Threat Insight or Threat Analytics. They just appear with a different name in the user interface. They are otherwise completely identical.

a. Navigate to Data Management → Threat Analytics. In the Toolbar, click Grid Threat Analytics Properties.

2565-03-05.png

b. Click Add (plus) and choose the RPZ that was created in the previous step.

2565-03-06.png

c. Click Save & Close. Restart the service when prompted.

  1. Start the Threat Insight/Threat Analytics service on the Grid.

    1. Navigate to Data Management→ Threat Analytics → Members, select ibns2. In the Toolbar, click Start. You may need to wait 30 seconds before the service starts.

    2. If prompted, Restart Services again by clicking the Restart button in the notification banner at the top of Grid Manager UI.

2565-03-07.png
2565-03-08.png

  1. (Optional) Check that the mitigation RPZ is empty. Navigate to Data Management → DNS → Response Policy Zones, click the entry mitigation.rpz. It should be empty like this:

2565-03-09.png

Task 3 Solution: Start Traffic Capture and Clear DNS Cache before Data Exfiltration

  1. Flush the DNS cache on ibns2 (10.200.0.105) from the Grid Manager UI:

    • Navigate to Data ManagementDNSMembers.

    • Select the member ibns2.techblue.net.

    • From the toolbar, select ClearClear DNS Cache.

  2. To start traffic capture, navigate to Grid → Grid Manager, from the Toolbar, click Traffic Capture.

2561-02-01.png

  1. Use the Add (plus) button to add ibns2.techblue.net in the Members section. Click Start in the Capture Control to begin data capture.

2561-02-02.png

Task 4 Solution: Perform and Verify Data Exfiltration

  1. (Optional) On the jump-desktop, examine the content of the sample file /mnt/shared/Dex/Short-Analytics-Test-File.csv:

2561-03-01.png

  1. On the jump-desktop, open a new Terminal window and login to the support-server: ssh training@10.100.0.20. Type in the command realtime-decode. Leave it running. The SSH password is infoblox.

2561-02-03.png

  1. Still on the jump-desktop, open a second Terminal window and issue the data exfiltration command: analytics-test 10.200.0.105. This exfiltrates the sample CSV file by querying the DNS server 10.200.0.105 (ibns2). Observe this for a few seconds; you should see more entries being added to the screen every 2-3 seconds, indicating data exfiltration has started. You should see the output on screen like this:

Screenshot_2024-11-13_08-25-23-20241113-082906.png

  1. After a few entries, however, the communication should be detected and stopped by the Threat Insight/Threat Analytics service running on the DNS member ibns2. The “Received” message will no longer be present, and the screen looks like this:

2565-05-04.png

  1. Switch to the first Terminal window that has the session to the support-server, check the output of the realtime-decode command. It is helpful to have these two Terminal windows side-by-side for easy comparison. You can see only the first few lines of the file that were successfully exfiltrated.

Task 5 Solution: Analyze Data Capture Results

  1. On the Grid, stop the traffic capture and download the captured file from ibns2. Tick the checkbox next to ibns2.techblue.net under Members. Click the Download button and save the file.

2561-04-01.png

  1. Open the capture file with Wireshark and analyze the results. Note the following IP addresses:

    1. 10.35.22.10: The DNS client, jump-desktop.

    2. 10.200.0.105: The recursive DNS server, ibns2.techblue.net

    3. 10.100.0.20: The (malicious) authoritative DNS server for dex.example.com

You may enter this filter into Wireshark to display only DNS traffic for the domain dex.example.com:

dns and dns.qry.name contains dex.example.com

2565-06-02.png

If you performed the capture at the right time, you should be able to see that the DNS exfiltration started, but a few packets later, the communication is disrupted and responses become NXDOMAIN (No such name). The screenshot above highlights the first packet where the response changed from NOERROR to NXDOMAIN.

  1. (Optional) ) Check that the mitigation RPZ content. Navigate to Data Management → DNS → Response Policy Zones, click the entry mitigation.rpz. it should now have an entry added automatically from the exfiltration attempt.

2565-06-03.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close