Hey there,
So I've been working on a project idea I had after I was analyzing a bunch of malware samples a couple weeks ago. It kind of started when I was figuring out more in detail how DNS Exfil works, and how most of those samples actually required a reverse (PTR) entry pointing back to their own resolver or DNS service.
I've been thinking about this a lot and wondered what's necessary to use DNS Exfil but without needing a PTR entry, and with the idea of using DNS as a tunnel network protocol that can "stream" data or other network protocols while simultaneously being able to bypass firewall restrictions this way.
DNS as a protocol itself is very harsh when it comes to packet size, everything beyond 1232 bytes gets cut off by most network routes (even here in Germany), so I had to implement something like the Partial Content network flow in HTTP (with content ranges, range requests and everything).
At some point I want this to be something like a GUI similar to how Hamachi worked back then, but with the idea to be an Instant Messenger like UI for adding/removing friends ("peers") into groups ("networks").
Would love to talk about network and protocol internals if anyone is interested in things like this.
I had to try out a bunch of record types until I found the ones necessary to bypass my CGNAT firewalls. Usually when there was a deep packet inspecting firewall in between, you just had to set the first question to an A record type and it would just go through with the rest attached to the packet... which was kinda funny to see :D
Currently I have only implemented HTTP and DNS as network protocol abstractions, meaning every Tunnel and Proxy both understand DNS and HTTP (meaning also that DNS over HTTP/S works, HTTP/S over DNS works etc).
The next thing I want to try out is implementing ICMP Knocking techniques which will be a challenge (due to it being port less, so everything has to be part of the payloads). And I want to try out whether or not SSH over DNS is also possible :D
It's implemented in pure Go, for your EDR evasion convenience :)
GitHub Repo: https://github.com/tholian-network/warps
[link] [comments]
from hacking: security in practice https://ift.tt/RvYLgKj
Comments
Post a Comment