DNSExfiltrator – Data Exfiltration over DNS

DNSExfiltrator is a tool that can be used by RedTeam to transfer (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.

DNSExfiltrator – Data exfiltration over DNS request covert channel

DNS service is available on most corporate network and it can be found not properly configured or restricted on the network side. you can use this tool to test your egress control and see if an attacker may use DNS to exfiltrate sensitive information.

By default, This tool uses the system’s defined DNS server, but you can also set a specific one to use (useful for debugging purposes or for running the server side locally for instance).

Alternatively, using the h parameter, to perform DoH (DNS over HTTP) using the Google or CloudFlare DoH servers.

By default, the data to be exfiltrated is base64URL encoded in order to fit into DNS requests. However some DNS resolvers might break this encoding (fair enough since FQDN are not supposed to case sensitve anyway) by messing up with the sensitivity of the case (upper or lower case) which is obviously important for the encoding/decoding process. To circumvent this problem you can use the -b32 flag in order to force Base32 encoding of the data, which comes with a little size overhead. If you’re using CloudFlare DoH, base32 encoding is automatically applied.

This tool supports basic RC4 encryption of the exfiltrated data, using the provided password to encrypt/decrypt the data.

DNSExfiltrator also provides some optional features to avoid detection:

  • requests throttling in order to stay more stealthy when exfiltrating data
  • reduction of the DNS request size (by default it will try to use as much bytes left available in each DNS request for efficiency)
  • reduction of the DNS label size (by default it will try to use the longest supported label size of 63 chars)

You can read more and download this tool over here: https://github.com/Arno0x/