PACKET HACKING VILLAGE - PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution via DNS & Text-Based Steganography

Video thumbnail (Frame 0) Video thumbnail (Frame 2447) Video thumbnail (Frame 3894) Video thumbnail (Frame 6825) Video thumbnail (Frame 8970) Video thumbnail (Frame 10935) Video thumbnail (Frame 13516) Video thumbnail (Frame 19217) Video thumbnail (Frame 22925) Video thumbnail (Frame 23913) Video thumbnail (Frame 26893) Video thumbnail (Frame 28085) Video thumbnail (Frame 29805) Video thumbnail (Frame 34569) Video thumbnail (Frame 36627) Video thumbnail (Frame 39579) Video thumbnail (Frame 40970) Video thumbnail (Frame 42115) Video thumbnail (Frame 43770) Video thumbnail (Frame 47215) Video thumbnail (Frame 50524) Video thumbnail (Frame 52916) Video thumbnail (Frame 54202) Video thumbnail (Frame 56840) Video thumbnail (Frame 59452) Video thumbnail (Frame 61650) Video thumbnail (Frame 62885) Video thumbnail (Frame 67240) Video thumbnail (Frame 68634) Video thumbnail (Frame 70459) Video thumbnail (Frame 71536) Video thumbnail (Frame 73009) Video thumbnail (Frame 73969)
Video in TIB AV-Portal: PACKET HACKING VILLAGE - PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution via DNS & Text-Based Steganography

Formal Metadata

PACKET HACKING VILLAGE - PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution via DNS & Text-Based Steganography
Alternative Title
PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution Using DNS and Text-Based
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Data exfiltration through DNS typically relies on the use of DNS query fields to exfiltrate data via the attacker's DNS server. This approach has several shortcomings. The first is attribution, since attackers end up creating a trail back to their own infrastructure. The second is awareness, as DFIR analysts have made careful study of DNS fields as exfiltration vectors. The third is access, since companies are increasingly using DNS server whitelisting to prevent or alert on outgoing DNS queries to servers controlled by attackers. But what if data could be transferred using the target's own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration? Through a combination of DNS queries and text-based steganography, we'll cover the methods used to transfer data across a network, hidden in plain sight, without direct connectivity between systems, while employing multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts. The presentation will include a demonstration of PacketWhisper, a new tool written in Python, that automates all of these steps for you. PacketWhisper will be made available on GitHub to coincide with this session (
Group action Principal ideal Steganography Bit Cryptography Bookmark (World Wide Web) Theory CAN bus Software Operator (mathematics) Direct numerical simulation Kognitionswissenschaft Absolute value
Point (geometry) Operations research Standard deviation Server (computing) Dependent and independent variables Steganography Computer network Bit Steganography Direct numerical simulation Thermodynamisches System Software Series (mathematics) Direct numerical simulation Query language Musical ensemble Quicksort Social class Spacetime
Dataflow Server (computing) Dependent and independent variables Mathematical analysis IP address 2 (number) Direct numerical simulation Order (biology) Chain Thermodynamisches System Computer configuration Band matrix Query language Local ring Form (programming) Standard deviation DNS <Internet> Dataflow Firewall (computing) Server (computing) Client (computing) Bit Hecke operator Hierarchy Thermodynamisches System Googol Software Direct numerical simulation Data conversion Right angle Local ring Spacetime Address space
Point (geometry) Sensitivity analysis Domain name Server (computing) Image resolution Multiplication sign IP address Sequence Direct numerical simulation Type theory Thermodynamisches System Iteration Hierarchy Query language Energy level Recursion Information security Address space DNS <Internet> Stress (mechanics) Electronic mailing list Public domain Mereology Flow separation Hierarchy Type theory Query language Personal digital assistant Direct numerical simulation Iteration Communications protocol Recursion
Dataflow Link (knot theory) Image resolution Set (mathematics) Coma Berenices Steganography Direct numerical simulation Broadcasting (networking) Query language Logic Configuration space Local ring UDP <Protokoll> Address space Physical system Link (knot theory) Image resolution Server (computing) Steganography Computer network Entire function Peer-to-peer Cache (computing) Type theory Software Personal digital assistant Direct numerical simulation Self-organization Communications protocol Local ring Asynchronous Transfer Mode
Code Multiplication sign File format 1 (number) Numbering scheme Set (mathematics) Computer font IP address Steganography Social engineering (security) Medical imaging Optical disc drive Array data structure Different (Kate Ryan album) Computer configuration Encryption Library (computing) File format Software developer GUI widget Electronic mailing list Bit Term (mathematics) Sequence Entire function Social engineering (security) Category of being Data mining Array data structure Message passing Arithmetic mean Curvature Digital photography Telecommunication Bridging (networking) Website Right angle Quicksort Reading (process) Spacetime Filter <Stochastik> Computer file Computer-generated imagery Mathematical analysis Field (computer science) Knapsack problem Number Googol Operator (mathematics) String (computer science) Message passing Numerical taxonomy Form (programming) Standard deviation Dot product Information Prisoner's dilemma Steganography Heat transfer Line (geometry) Cartesian coordinate system Transmitter Word Software Personal digital assistant String (computer science) Blog Point cloud Family
Noise (electronics) Perfect group Computer file Mathematical analysis Number Spreadsheet Insertion loss Repository (publishing) System programming Encryption Energy level Information security Local ring
Slide rule Game controller Group action Proxy server Computer file Multiplication sign Power (physics) Direct numerical simulation Goodness of fit Internet forum Operator (mathematics) Query language Encryption Communications protocol Physical system Dependent and independent variables Touchscreen Server (computing) Field (computer science) Control flow Landing page Wind tunnel Malware Password Direct numerical simulation
Server (computing) Proxy server Sine Server (computing) System administrator Moment (mathematics) Field (computer science) Public domain Coma Berenices Control flow Mereology Web 2.0 Direct numerical simulation Data management Goodness of fit Googol Malware Password Direct numerical simulation Query language Authorization Cuboid Communications protocol Computer worm
Point (geometry) Standard deviation Domain name Trail Server (computing) Codierung <Programmierung> Multiplication sign Control flow Public domain Steganography Attribute grammar Direct numerical simulation Optical disc drive Goodness of fit Coefficient of determination Thermodynamisches System Touch typing Flag Traffic reporting God Information management Dependent and independent variables Trail Server (computing) Point (geometry) Moment (mathematics) Mathematical analysis Field (computer science) Type theory Process (computing) Software Query language System on a chip String (computer science) Direct numerical simulation Formal grammar Self-organization Right angle Hacker (term)
Server (computing) Game controller Computer file Heat transfer Field (computer science) Direct numerical simulation Broadcasting (networking) Thermodynamisches System String (computer science) Query language Recursion Message passing Electric generator Image resolution Server (computing) Computer file Electronic mailing list Steganography Heat transfer Field (computer science) Message passing Thermodynamisches System Query language String (computer science) Direct numerical simulation Point cloud Right angle Iteration YouTube Singuläres Integral
Game controller Group action Server (computing) Multiplication sign Spyware Bookmark (World Wide Web) Direct numerical simulation Broadcasting (networking) Query language Router (computing) Message passing Perimeter Physical system Self-organization Shift operator Spyware Server (computing) Steganography Heat transfer Computer network In-System-Programmierung Software Query language Personal digital assistant Internet service provider Direct numerical simulation System programming Self-organization Right angle Communications protocol Perimeter Router (computing)
Server (computing) Dependent and independent variables Spyware Dependent and independent variables Server (computing) Multiplication sign Steganography Public domain Login Direct numerical simulation Cache (computing) Duality (mathematics) Thermodynamisches System Googol Cache (computing) Blog Query language Personal digital assistant System programming Direct numerical simulation Query language Recursion
Point (geometry) Mobile app Computer file Local area network Codierung <Programmierung> Motion capture Broadcasting (networking) Direct numerical simulation Bit rate Query language Encryption Computer worm Local ring Address space Plug-in (computing) Noise (electronics) Structural load Computer network Motion capture Ring (mathematics) Software Direct numerical simulation Self-organization Transmissionskoeffizient Communications protocol Asynchronous Transfer Mode Computer worm
Digital filter Mobile app Thread (computing) Multiplication sign Motion capture Translation (relic) Mereology IP address Bookmark (World Wide Web) Sequence Direct numerical simulation Latent heat Bit rate Single-precision floating-point format Query language Computer worm Series (mathematics) System identification UDP <Protokoll> Address space Standard deviation Electronic mailing list Motion capture Cryptography Data transmission Sequence Transmitter Software Query language Personal digital assistant Direct numerical simulation Self-organization Encryption Local ring Computer worm Row (database)
Multiplication sign Similarity (geometry) Theory Sequence Direct numerical simulation Thermodynamisches System Computer configuration Internetworking Encryption Software testing Address space Perimeter YouTube Physical system Electronic mailing list Computer network Bit Limit (category theory) Sequence Transmitter Thermodynamisches System Googol Computer configuration Software Cross-correlation Right angle Transmissionskoeffizient Encryption Identity management Address space
Point (geometry) Domain name Key (cryptography) Uniqueness quantification Heat transfer Public domain IP address Hand fan Transmitter Direct numerical simulation Cache (computing) Computer configuration Computer configuration Personal digital assistant Cross-correlation Direct numerical simulation System programming Encryption Encryption Routing Physical system Address space
Randomization Greatest element Code Multiplication sign Public domain Direct numerical simulation Computer configuration Single-precision floating-point format Query language Entropie <Informationstheorie> Encryption Noise Series (mathematics) Service (economics) Simulation Spyware File format Electronic mailing list Maxima and minima Element (mathematics) Root Computer configuration Entropie <Informationstheorie> Order (biology) Chain Direct numerical simulation Thumbnail Encryption Point (geometry) Content delivery network Domain name Digital filter Server (computing) Hidden Markov model Cache (computing) Root String (computer science) Uniqueness quantification Dean number Noise (electronics) Dependent and independent variables Model theory Content (media) Public domain Transmitter Cache (computing) Word Software String (computer science) Point cloud
Point (geometry) Group action Motion capture Mereology Number Direct numerical simulation Hacker (term) Computer configuration Query language Encryption Uniqueness quantification Cuboid Exception handling Weight Uniqueness quantification Moment (mathematics) Electronic mailing list Transmitter Word Repository (publishing) Chain Direct numerical simulation Point cloud Encryption Fingerprint
Annihilator (ring theory) Software Core dump Motion capture Interactive kiosk Electronic visual display Computer network Menu (computing) Utility software Motion capture
Scripting language Code Tap (transformer) Public domain Client (computing) Tracing (software) Direct numerical simulation Mathematics Insertion loss Query language Process (computing) Local ring UDP <Protokoll> Multiplication Physical system Scripting language Parsing View (database) Physicalism Hecke operator Motion capture Price index Sequence Band matrix Type theory Computer configuration Direct numerical simulation Interface (computing) System programming Right angle Quicksort Asynchronous Transfer Mode Point (geometry) Digital filter Asynchronous Transfer Mode Motion capture Maxima and minima Operator (mathematics) Computer worm Software testing Proxy server Multihoming Standard deviation Dependent and independent variables Image resolution Server (computing) Forcing (mathematics) Heat transfer Computer network Data transmission Transmitter Broadcasting (networking) Error message Software Query language Point cloud Window Computer worm
Point (geometry) Server (computing) Context awareness Ferry Corsten Bit rate Mathematical analysis Frequency Direct numerical simulation Goodness of fit Thermodynamisches System Virtuelles privates Netzwerk Query language Uniqueness quantification Communications protocol Physical system Self-organization Server (computing) Point (geometry) Mathematical analysis Public domain Computer network Connected space Inclusion map Thermodynamisches System Frequency Query language System on a chip System programming Direct numerical simulation Right angle Volume Perimeter Identity management Spacetime Address space
Slide rule Backup Virtual machine Directory service Shareware Product (business) Connected space God Repository (publishing) Interface (computing) Gastropod shell Cuboid Data structure
Slide rule Backup Slide rule Computer file Multiplication sign Structural load Virtual machine Spektralmaß Shareware Broadcasting (networking) Thermodynamisches System Encryption Information security Backup
Broadcasting (networking) Computer file Hash function Cross-platform Personal digital assistant Query language Operator (mathematics) Motion capture Cloning Line (geometry) Computer worm
Computational fluid dynamics Direct numerical simulation
so without what to do because I hear this very popular here so it is without much ado my pleasure to introduce to you try/catch HGF who's gonna give a talk on packing whisper thank you everybody for being here if you can't hear in the back because it's loud let me know I'll speak louder and we'll run forward with this welcome to Def Con welcome to one of my favorite villages we're gonna spend the next 50 minutes gonna have ten minutes for Q&A in transition covering some of my favorite absolute asbestos things I love packets I love networks I love cryptography especially text-based big and audre fee and I love Red Team stuff so what we're gonna cover here is real-world stuff I've done for a while I'm not going to talk about theory and what could be done everything we're discussing actually is a real thing I talk about what it is why it is and a little bit of background first a little bit about me hey I've got a promotion yesterday so now I'm technical director of red team ops and I can focus more on strategic stuff prior roles the most critical thing in the prior roles is I used to mop fish juice out of a cod locker at a fish and chip shop never forget where you're from and wherever you are right now wherever your kids are right now be where you're going to be
we'll talk a little bit about DNS it's not gonna be a DNS class it's more of a very high-level overview but I like everybody to be on the same sheet of music so you know what I'm where I'm coming from where you're coming from a little bit about text-based steganography then we're gonna talk about traditional text-based eggnog rafi traditional standard DNS exfiltration and then we're going to talk about some really fantastic things you can do when you marry those together and of course a
little tool called packet whisper let's
cover a scenario first anybody out there in a sock anybody out there in dfi our world at some point alarms trigger there's something on a system you dig a little deeper there's a little lateral movement now you found out sort of somebody in your network and they were gathering data onto a staging server in your network space so you start tracking them down right well good news you hit
that staging server doesn't look like anything left you checked everything the packet captures no USB was connected great let's go have a beer we'll leave the paper work to the other guys to talk to the CSO and the c-suite cuz we're done no data was lost yes
or did they merely lose the scent let's dive into a little bit about a DNS here
right DNS really simple right it turns system names into IP addresses and reverse it turns IP addresses into system names the great thing about DNS of course is it's open just about everywhere because it's hard to operate a network that's going to connect to other networks if you're not using some form of DNS in most scenarios so it's always there it's UDP so of course standard UDP joke applies you may get it you may not i PB ipv4 and ipv6 or options as well there were less you about DNS of course is not just UDP it's high latency not only you're not guaranteed to get an answer back but you're not exactly going to do a million requests in a space of a few seconds that sounds like a broken DNS server so a really simple flow right I need to get to double comm so my system says hey does anybody know how I find dub dub dub Google comm and my system hasn't seen it before and it goes out to the local server DNS server and it says hey do you guys know how to get there it keeps asking and asking up the DNS servers ask each other until somebody knows what the heck this thing is or does not know either way you get an IP address back or you don't if your local
server doesn't have it your local server has a list of buddies DNS resolution servers either iterative or recursive and leave the go through a list hey t you know hey B you know hey - you know or it'll pass that trust up hey if you don't know it you can go ask other people online behalf if you've been following some of the headlines recently well if you've been following certain security topics in the larger industry recently there's been more and more concern about the fact that DNS traffic goes everywhere I'll talk about why that's gaining traction the DNS hierarchies are built on levels of trust at some point somebody has to speak up and say I am the person that knows the home address of that server absolutely it is 40 12 1 11.6 oh and you as the requesting system sits back and goes alright that sounds pretty good and then you make your request out to that IP address your system doesn't actually transfer data from a name it's using that IP address
so two types interim interim and recursive what really matters to us though is the DNS queries the labels don't allow a whole lot of data and as we'll see in existing DNS exfiltration techniques they try to shove a lot in there it's not a protocol you're ever going to use to exfiltrate gigabytes and terabytes of data unless you're really really really really patient but there's plenty of other sensitive data you can fit into a few k a few hundred k that'll work just fine and it's done all the time it's all based on fully qualified domain names so angry bobcat surprise gifts calm that is going to be a separate DNS reply than happy dot puppies dot surprise gifts calm and even though it's all surprise gifts it'll generate its own query the labels are case insensitive that matters for our purposes as well so mixed case all you want dns doesn't care dns won't notice there are a couple of
protocols that are multicast this is also going to be interesting for some of our use cases mdns multicast dns it's dns compatible it's essentially a peer-to-peer self-organizing network think of those device self discovery systems like a Bonjour you just plug in hey guys I'm here is anybody else here it goes out to the entire sub Network your slash 24 right one through 254 255 is your broadcast address so mdns multicast dns and local link and multicast name resolution on its support as well these are both multicast interesting thing on this particular set of protocols is [Applause] a request goes to everybody on a subnetwork you don't have to have fancy equipment we'll talk about promiscuous mode in a second but if you ever run Wireshark let's see if you're on Wireshark and just go ahead and monitor port 53 or just type DNS in the filter and you're sitting on a network you're at a coffee shop or wherever on most networks you're going to see a lot of various types of DNS requests coming from other systems that have nothing to do with you and they aren't asking you specifically they're asking everybody hey does anybody know what this thing is that's why DNS cache poisoning is a thing you want to get into of course that flow that says I totally speak for surprise gifts com that's the speed run
on DNS text-based steganography this stuff I've been fascinated with since I
was a little kid it was super fun and it still is there are a lot of different categories the taxonomy of steganography is much larger than is typically covered in any particular article or journal or blog these days when we talk about steganography we're talking about hiding data in images that's cool it's fun it's not bad it's kind of limiting though that's like wow I want to send a bunch of messages all right I'm gonna exfil this entire hundred gigabytes worth of data I got off of that giant cloud let's embed it all in images it's clunky it's kind of terrible honestly for most use case purposes if you're going to see image based steganography in the wild and you deify our sock folks know this better than I do it's usually going to be along the lines of some sort of tradecraft a little bit of information headline last week there was a engineer who was arrested it appears he was using image based steganography to read trade secrets of his aeronautics employer to bring them to another country so image-based steganography does get used absolutely but it's sort of that fringe case it it's not how the the typical bad guys are moving data around another problem with image based steganography is it's a well known vector Google for it anytime you google for steganography you're gonna find something about image based steganography back up to all of these options here you'll have to specifically put in text based steganography to bring up most of these topics text based in that vast world some really approachable examples if you haven't heard of it or used it before that the classic one is prisoners or soldiers deployed they're trying to communicate with their friends and family the first letter of every sentence just pull it off and you'll have the message I'm trying to send you or the seventh letter of every other word it's just really it's a cipher on top of the actual text code words for communication are technically text-based Eggert steganography you're hiding meaning you're hiding data so somebody you know the standard code phrases right I found the bagels to be delicious this morning well the agreement was that means get the hell out of town this whole operation just collapsed technically counts as text-based iconography some of them are amusing ones fonts spacing and themes now that we're in the era over the last twenty or thirty years of changing the appearance of text so you can actually use the number of spaces between words as is ink as an encoding scheme I don't think about binary it's just zero and one all right what if it's one space or two spaces some fonts you can't tell the difference you could transmit war and peace purely as ASCII text and have one or two spaces representing the ones or zeroes of the entire set of data you're trying to exfiltrate that's pretty cool too I think our particular friend however transforming data into text I really like this because it lets
you hide the data truly in plain sight and it gives you a whole lot of flexibility you tailor the ciphers to either look like nothing unusual or exactly what somebody is expecting to be okay so you've seen some there was a anytime you feel like a privilege escalation attack right and the classic example is somebody takes a photo of their air blind boarding pass and just puts pilot on top and then you walk in you say look it says I'm a pilot and this is big sharpie and it's hilariously bad you do the same thing when we're encoding data into text strings we're going to make it exactly what they want to see is fantastic for bypassing data whitelisting controls so if you have that sensitive network and you have a locked down Enclave and it's totally okay because the only thing that's ever going to leave outbound from this network we've got everything locked down only IP addresses nothing will ever go wrong transform your data into a list of IP addresses and ship it out odds are they're just like anybody here who does application development or has worked a knapsack knows that when you look at most filters and fields you're lucky if they're doing a stripping clip approach and the IP address is going to be limited to only numbers and four dots in the right sequence there's going to be a way to bypass that and you can use the ciphers as a form of social engineering against the analysts who are going to review it to cloaca flat cloaca 5x filtration toolset i present it's a couple years ago there's an old technique of mine and it was time to share and it turns any file type into a list of strings very simple to do that was my entire goal our kids are able to use it and it can be quite amusing so you can turn an entire zip file into a list of pokemons or a list of popular websites or a list of dessert ingredients and then when you've transferred that wherever it needed to go ud cloaca fie it and you have the original file back anybody who ever looked at anything along the way they saw exactly what you wanted to see so
you have a spreadsheet here's a cloaca
five workflow yeah this is just a speedrun check out the github repository it's free you just select local file file you select from any number of the ciphers in the middle there sorry it's tiny text you decide if you want to add noise in the front so in this particular shot we have turned a zip file bounty zip into a list of lat/long coordinates of pokemon and looks absolutely nothing like the zip file it originally was that's perfect
some of the ciphers you want to turn on into a bunch of emoji turn onto a bunch of emoji you want to turn it into password hashes turn it into password hashes it's why would you want to do that I got good stories so there it is
the slides everything is going to be posted next week so don't worry about having to take too many notes you can just pull it down probably at the end of next week this is already out there I'm just saying a slide deck will be out there cloaca files been out there for a few years all right we're getting closer to the good stuff traditional DNS exfiltration
if you've been doing any again shock work response work dfi are if you've been building controls to defend your systems DNS tunneling and exfiltration are probably not strangers to you frankly if you've ever tried to bypass the in-flight Wi-Fi DNS tunneling has probably been your friend because again DNS is open everywhere right yes including airplanes before you get past that lock screen that let that lock landing page that forced portal where they make you pay for your in-flight Wi-Fi some of the airline's have locked it down but for a very long time all the DNS requests were just going through and there were tools that would let you tunnel HTTP HTTPS or the DNS Rockstar power to the people DNS based data exfiltration that's been more of a adversarial operation I don't want to go all spooky apt oh it's all apts but whatever the attacker group is whoever it is there are plenty of tools out there go check github Google forum that will help you do dns based data exfiltration there is some say to heaven on the next one yeah problems coming up we'll get to
some problems typically how it works is the attacker has to own the server that is the name server the DNS name server for that domain so typically I can't do DNS based data exfiltration to dub dub dub I don't own it but I own Joe's super-secret awesome bagel shop comm and Wham all the DNS requests that look up my domain are going to go to my designated name server because part of my web server presence in the world is designating who my authority authoritative nameserver is that's a pretty high bar for a lot of it we'll get to that why in just a moment
so here is typical DNS data based exfiltration sorry dns-based exfiltration you've got some data you want to get out the door bad admin bad Bob way to go Alice good password she probably has a password manager you simply encode or encrypt that data you're trying to get out and then you make the payload a subdomain - subdomain my evil server com I have told the world that the name server for my evil server com is a certain spot box over there and my designated box is going to get all of these sub domain DNS requests which have the encrypted encoded payload right there as the sub domain now we're still limited to about 255 ish bytes per DNS request so that's still one DNS request for every 250 plus bytes it's a niche scenario but it's a very real-world scenario this is happening a lot again
here we go the query the fully qualified domain name which is a sub domain and the domain goes to evil name server it goes ahead and strips off the sub domain and then it decrypts it and voila there's the exfiltrated data win for the bad guys here are some problems with
that Jah red flags if you've got a good sense system you and your sock analysts are going to be triggering on this type of activity all the time because the attacker has to control the infrastructure a lot of organizations will get to that just a moment one of the first things a good response team is going to look at as they're doing a formal analysis of what's been happening let me look at the traffic that came off of that server anything that looks like a weird sub domain name and dogs on bacon attribution so I've got to control the server right oh oh well who are the bad guys I know let's find out who owns the server when you have a lot of available data attribution is actually fairly straightforward it's not easy but when you have enough available data attribution is pretty solid you have the visibility on when that domain was registered who how would interact with the DNS server the name server where any other requests coming into that name server it requires you have access to a lot of infrastructure of course who has access to all the infrastructure basically everybody that's not us that is a government or a large giant company that handles network infrastructure and the parties that are entrusted with processing that data so again it's out there that trail of breadcrumbs lead back there's only so much you can do with the hey I'm not in your political boundaries you'll never get me at some point you don't want people to know it was you even if they can't touch you legally resiliency take that server down oh that one's a problem I worked really hard to get into that organization now I have no way of getting the data out it's gonna look bad on my report sock blacklisting inactive attack a detective attack is going to cut me off short also more and more organizations are implementing DNS whitelisting you can't connect to a DNS server that they don't specifically say is ok and odds are if you're working on the blue team side you're already doing that or you have a roadmap to do that if you're on the blue team side and you're not doing that Oh for the love of God look into DNS whitelisting the stuff it's gonna break will annoy your employees but it won't interrupt their workflow yeah if that makes sense now for the good stuff we got through all the background thanks folks combining DNS queries and text-based steganography
so what have we got here oh sorry DNS queries lookup system names right coloca Phi turns any list of data into any file into a list of strings we want so if we decide to use cloaca phi to
transform our data into a list of common system names and then generate dns queries using that list we're getting
closer we can transfer data to any
system that's able to see the DNS broadcast messages M D and s ll MNR or to any system or appliance that handles DNS query traffic along the DNS path whether it's iterative or recursive DNS queries go all over the world especially when you start looking at the cloud we can do this transfer without using any DNS query fields that usually make an analyst go this is bad we don't need an attacker control DNS server anymore either which is a really huge plus if you're trying to get the data out so the
sending and receiving systems never connect to each other directly a great use case might be your favorite coffee shop and you know your victim where you staged the data likes to show up before their work shift you show up and wait for them to show up and then you've had a trigger or something as soon as they connect start exfiltrating that data out because the coffee shop configured their network so you can see all the traffic or it's a broadcast protocol and you just pull it all out there is no evidence any data was ever transmitted to you if you've got a perimeter router that you've compromised you're seeing all the network traffic through right you're the DMZ or it's using a third party server now we're looking at third party attacks if I can get into your network service provider your ISP I can see all that data going back and forth we've got some caveats coming up we'll deal with them and if they're resolving DNS or DNS server or involve network appliance is external to the organization yes we'll see how to build the query so that data will get out of the organization's network I want to reiterate something here any infrastructure outside of your organization that can see the requests one more time BGP hijacks have gotten sophisticated it's no longer a nation-state trying to siphon all your stuff the criminal groups in the last several months within the year have been using BGP hijacks to say send all of the data through this path where I have controls for the problem with that is
especially these new attacks they've started to poison the broader DNS cache so you can do a BGP hijack of a DNS eight eight eight eight we all know it and love it right that happened a couple of weeks ago eight eight eight eight had a BGP hijack attack associated with it didn't last very long didn't have to the attackers are using DNS cache poisoning and the time to live values and the forged responses are going to persist in all of those downstream servers now and your attackers have persistent relatively persistent access to all of your DNS queries now so it's not just can I get the data out in five minutes you may have hours you may have days and the
only thing that's going to be in the logs are DNS queries to to Strange domains will see some use cases as we got walk through the
which brings us to back at whisper all right so it's sending data everywhere it broadcasts to the broadcast address through protocols on the local network why isn't this thing called packet shout and it didn't sound real good and also not really good at marketing but also go to a vendor party I'm sure you've been to a few already and whisper to a friend just talk to a friend nobody can hear you over all the noise you were totally screened out all you were doing was talking to somebody doesn't ring any bells doesn't bring any
alarms packet Whisperer is a nice little tool that does all these steps for you I'm sure it qualifies fun and there are a lot of things you can do with it try it out maybe you like it but if all you want to do is excellent rate data via DNS like this packet whispers wraps up all these pieces for you and then could you just give it a payload name it encodes the payload you create you choose the cipher will get into the modes it creates the DNS queries you do the packet capture however you do your packet capture maybe you've got TCP dump maybe you've got T shark maybe you just own that Network appliance that is going to be your point of capture once you've got that capture that pcap just send the pcap load it up into packet whisperer it'll do all the stuff it'll extract it from the peak app it'll deep loca fie it for you and you'll have the file that you exfiltrated from the target organization so our transmitter plugin
cloaca fie the payload into a list of DNS query targets we create a single DNS request for each item on the cloak list do not export rate gigabytes of data I mean you can you know be the one that did it but it will take a very very long time it takes minutes to get a few k out depending on how you're doing this in certain cases it's now time to transmit to send it out to make the DNS requests it'll create a knock sequence standard crypto standard stealthy hey here's a couple of things I'm going to do sometimes it supports scanning if you're a bad guy a specific series of ports sometimes in this case it's going to be a list of distinct queries why do I need that because everybody else is doing DNS queries on that same path and when you're doing network address translation all I can see is it's coming from the same base address of an organization that IP address got sanitized so in those cases if the DNS query is not unique you need that NOC sequence and it says hey now we need to look for this there's a better way though if it turns out you're going to be going outside of an organization all the stuff is sanitized we'll see some unique requests going forward again generate that DNS request and we have to pause between each DNS request if you do 10,000 DNS requests all in a row it's kind of multi-thread and it's gonna show up all over the place and we're totally out of luck so that's definitely an issue we'll talk more about that the packet capture again whatever your favorite Packer packet capture tool is all we're looking for is a pcap we just need a standard pcap with the DNS queries and then the tool will take care of the rest for you the extractor decoder takes a peek app and just pulls out the DNS queries and if not sequence was used it's looking for the not sequence it's part of the workflow we'll see it and pulls out those queries from the pcap once it's made that Association and deep localize the extracted payload
doing your time check we're doing good 20 minutes transmitting options this is where you're actually going to be using this in the real world again this is not Theory common system names make great ciphers but they also have some limitations if your DNS requests are for dub dub dub google if they're for youtube if they're for github if it's for common systems well you're gonna defeat data blacklisting much of the time do a test run just to double-check but the important thing is you're not going to be generating any data that raises alarms either in the alerts or when an analyst goes ahead and takes a look at it this is really only a good use if you're connected on the same subnet work this method really means the transmitters IP address available so that you can deconflict if you send common system names out over a NAT in perimeter it's going to blend with everybody else's common names you have no way to differentiate which is which so back to that NOC sequence when I see a NOC sequence in the packet traffic it goes oh 10.1 10.72 this gave me the NOC sequence give me all DNS requests from 10.7 dot 1 2 1 1 2 whatever I just said and it'll go ahead and strip that out for you know that's going to be a problem if that address had other people and other systems also generating similar traffic right so I find this method works particularly well if it is a device that doesn't typically reach out to the Internet that could raise a little bit of concern but it won't be generating all this traffic it's a device that's normally just connecting to internal infrastructure and it should never be going to alright that's one and it
just looks like this going on to github I provide some ciphers free to use they're operational but go to github and build your own the underlying clarify tool is really easy to create your own software ciphers I'd want to create it if it wasn't easy to use and tailor and modify for your operational leaves and there you have it a list this is exactly what your traffic ends up looking like second transmitting
option distinct repeating fully qualified domain names that is a mouthful a lot of you are probably already like yeah I get it fully qualified domain names when you're going to be moving that data where those IP addresses cannot be determined the only way you're going to be able to figure out that it's your exfiltrated data is give it a unique tag however you choose to do that the best route is through subdomains unique subdomains and we can repeat them because they're unique nobody else is going to be generating traffic looking for that domain remember a key thing about packet whisperer in this whole methodology the DNS queries don't have to succeed failure is irrelevant we just need the request to go out that is our route of exfiltration and so if you are a buckaroo banzai fan
and you wanted to use the red lectroids cipher the red lectroid cipher that comes with the tool is all of the John's and buckaroo banzai aliens invaded the planet about 80 years ago 60 years ago and they all pick the same name John because they didn't understand human culture and they all work at Yoyodyne propulsion systems so if you do DNS queries using the red lectroid cipher this will get outside of your organization because at some point it's going to try to resolve it unless it's seriously locked down in most cases that's to get out because those subdomains do not exist however DNS caching will ruin
that every time once I asked for john whorfin Yoyodyne comm wherever that DNS response is cached I'm stuck if my collection point is above that DNS cache I'm never going to see further requests how do we bypass that what if I can't get my collection point if we cannot set up our collection point downstream from the DNS caching point we've got a problem the solution is to make sure we add random noise into each sub domain name so that it will never cache we're never going to repeat the same request that's a problem because the way that cloaca fie encodes the data it's a repeating series of base64 encoded data so we need 66-67 repeating values in order to transmit the cloak or we're never going to be able to decloak it so we can use a common list of root strings and we can add a bunch of noise to it to sort of make it look like blendy weird traffic and then start making those DNS requests first thing that may pop into your mind well that sounds kind of stupid because we're back to the traditional DNS exfiltration model where somebody says look I encrypted a bunch of crap and I'm making the DNS request well we're right back to every single sock and sim infrastructure alerting all over the place and tracking it down so we carefully select the
domains that we're going to query when we're doing randomized noise I'll of cloud Front for this because all of your content domain servers distributed network content servers there's an acronym I'm tired sorry they're all full of junk in the front and they all go to cloud front or they all go to any of the other CDN servers out there right so what we do is let's hijack hmm let's not use the word hijack we're not attacking cloud front we go ahead and generate some randomness but we use those 66-67 minimum strings that will let us encode our base64 payload and if you look at what we do at the bottom the yellow piece is the root of our cipher string I'm sorry if that's low and you're sitting down you can't see it but the first six or so characters of all that weird-looking stuff are the actual cipher then there's about seven or eight random characters of crud that matches the format of cloud front requests cloud front net remember we don't need it to successfully resolve we need it to go out as a DNS request chain so now we've got some options because it will never repeat that's up to the code to be random and there's plenty of entropy in here because we're counting it on never to repeat we're never worried about DNS caching all
right there are some issues here there are any number of ciphers for packet whisper you can use you may not want to create your own what if I just want to use it out of github try/catch HTF out of the box what if somebody else is doing exfiltration - I am NOT your problem at that point the tool is not your problem if you have that many people in your dns chain that are running around going yoda-like just shut it down and go home meet me on the beach we'll have drinks well you know we all got stories to share each and every one of us call me DM me they're open so yeah tailoring your cypher of course making it your own list of whatever words you deem appropriate maybe it's all you know the fourth thing I love that is not part of this talk is tacos what if I decide that I'm going to use that cloud front net method rendom methodology except I'm going to go to Roberto's comm sorry Roberto's I love your tacos nobody else is probably using that cipher the problem is the moment you tailor it well now it's the taco guy and that's a little hard to hide out in the open if you're using the same ciphers everybody else's oh it's mystery hacker group everywhere so again check the github repository for cloaca fie it'll show you all of the options on how to make your
own unique ciphers it's really straightforward and if it's not then blame me and contact me and I will make it better receiving capture that data anyway you
want why our shark tea shark TCP dump capture tools on network appliances if your network at an engineer out there you know you've got better stuff out there than then wireshark capture utilities on wall displays and kiosks
they are 100% a thing I have done this before this happy little wall kiosk lets you do packet captures I don't know why I've never known who has ever needed to debug a wall a wall kiosk to see all the traffic on the network and yet here we are this is why we can't have nice
things so there we go however you're going to go ahead and pull the data don't worry about only filtering on the query names packet whisper is going to take care of all that for you minimum hassle but if you need to minimize your capture bandwidth because your point of collection you were the threat team that did that bgp attack on eight eight eight eight yeah maybe only capture fifty three so that you're not capturing terabytes of data to sift through I have not tested this on terabytes of data so I guess if you're a nation-state you can do your own research too and build your own code and then submit a pull request because it's about supporting the community I have names in mind I'm not gonna talk must be positioned to capture that packet traffic that's the only only requirement people so nameservers long wait we talked about multiple points already I won't drill into that repeatedly be creative I like network taps in my operations wherever I can get into network appliance somewhere and just click in a network tap that implies some sort of physical access but again if you're a bad guy and you know bad guys are relative pic you're a bad guy and they have hijacked dns and now all that's going through their stuff anyway they were able to do that without touching a thing Oh on the set on the same Wi-Fi network capturing device in promiscuous mode that's pretty awesome if that's not going to work because of whatever scenario reason then go ahead and use one of the modes it does multicast Wi-Fi networks not all of them will let you see even other DNS requests I've noticed in the last couple years in my operations more and more Wi-Fi networks are using client isolation so I can't see network shares I can't see DNS requests I can't see anything it's really ruining a lot of fun and that's a good thing making sure you're collecting on the right network path standard wisdom applies it's not a problem until it is and then it's a real problem because you went through all that trouble to get it right and now you can't get it out well if you're a defender you're like whew barely missed that bullet but between multi-home systems and everything else if you're going to be setting up a collection point do a quick test and you know it'll be an indicator but what the heck Yolo and just Google for something search for something weird or something common with a weird domain a test cloud front domain would be perfect and to see if you can detect it and then you're okay so I used dig and trace if you're Linux types UNIX types or Windows equivalent see where those paths are going extracting again
do all the magic for you read through the pcap nock sequence we talked about and then i'll decloak off' i for it the only issues I have had other than having to wait and be patient is that occasionally a DNS query just goes off into the winds I never see it if it is operationally critical and you can't try again to exfiltrate well usually only missing one or two characters out of that base64 payload it's a Python challenge just brute force it and go have lunch just randomly add in a a through F 0 through 9 and try to decode it and walk it down and have a script response to detect change in size walk away and you'll solve it I've only had to do that once specifically alright we talked
about sucking aquarii points avoiding duplication again it's the same on a query path for all systems it is slow that is service VPN connections all right make sense right if your system is using a VPN connection everything is encrypted all the way out through that VPN servers exit point you won't see anything along the way and I keep forgetting that sometimes and it's really annoying frequency analysis not as huge of an issue if you slow down what you're doing
we already talked about most of the countermeasures up front but just remember canary data and honey data really really really really good data is gonna get out if you have a way of your data trying to call home or call somewhere so you know data got out that's a good thing to know you can worry about how it got out but if you don't detect it having left to the barn you're not even going to have a chance you're good sock analysts absolutely DNS query whitelisting use it reduce my attack space and then awareness which is
why we're here now I got a couple minutes packet Whisperer demonstration [Applause]
so this is not my production box and this morning when I went to fire it up and checked everything Wireshark is not working connection failed my shell commands were not able to find directory structures this machine is borked I have backups of the slides so the tool is going live next week it's been a long week and I got a lot going on when I get home it is gonna go into the repository but yes near four hours ago I apologize I've
been presenting a long time that has never happened to my system ever and I want to be clear I can make sure to connect to NSA secure Wi-Fi at the hotel last night and I should have been totally safe but
no my machine is screwed
however because I've never had use backup slides before I'm happy I had backup slides that I can use now it's menu-driven broadcast a file extract a file from a pcap take a look at the ciphers when you go to broadcast a file it asks you what file do you want to load up it will ask you which cipher do you want to use and then it'll ask you confirm send out it goes when you've got that pcap load it up in extract file to pcap it just asks for a file name BAM does the magic we talked about and if all goes well you've got that file sitting right there I try to make the
flow as realistic and repeatable as possible under the hood you run packet whisperer dot py straight Python cross-platform yay sorry 2.7 I'm gonna work on 3x soup right now so 2.7 because those are my operational needs and I'm being selfish packet whisper broadcast packet whisper capture are doing some of the under the hood magic you can use those manually if you wanted to I'll have a full tutorial when we're when I get it up on github I like tutorials I like self explaining stuff and there's a clone of cloaca Phi and D cloak of Phi that's it there's no other crazy magic
here's a workflow of actually working and I use the the two tools by hand the upper-right that upper corner is transmitting Wireshark is capturing the queries as they're being made the bottom corner is loading the pcap and decoding it in this case it is an md5 hash to validate that the payloads the dot XLS file were the same through and through
resources again you'll be able to pull those off when it goes up on a github
next week that is packet Whisperer exfiltration toolset I apologize for the computer hating my life but check it out thanks for hanging in there I know there's a long stretch [Applause]