browsertunnel: Surreptitiously exfiltrate data from the browser over DNS
Browsertunnel is a tool for exfiltrating data from the browser using the DNS protocol. It achieves this by abusing dns-prefetch, a feature intended to reduce the perceived latency of websites by doing DNS lookups in the background for specified domains. DNS traffic does not appear in the browser’s debugging tools, is not blocked by a page’s Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios.
The project comes in two parts:
- A server, written in golang, functions as an authoritative DNS server which collects and decodes messages sent by browsertunnel.
html/folder, encodes and sends messages from the client-side.
How it works
Browsertunnel can send arbitrary strings over DNS by encoding the string in a subdomain, which is forwarded to the browsertunnel server when the browser attempts to recursively resolve the domain.
Longer messages that cannot fit in one domain (253 bytes) are automatically split into multiple queries, which are reassembled and decoded by the server.
Setup and usage
First, set up DNS records to delegate a subdomain to your server. For example, if your server’s IP is
192.0.2.123 and you want to tunnel through the subdomain t1.example.com, then your DNS configuration will look like this:
On your server, install browsertunnel using go get. Alternatively, compile browsertunnel on your own machine, and copy the binary to your server.
go get github.com/veggiedefender/browsertunnel
Next, run browsertunnel, specifying the subdomain you want to tunnel through.
For full usage, run browsertunnel -help:
For more detailed descriptions and rationale for these parameters, you may also consult the godoc.
For real-world applications of this project, you may want to fork and tweak the code as you see fit. Some inspiration:
- Write messages to a database instead of printing them to stdout
- Transpile or rewrite the client code to work with older browsers
- Make the ID portion of the domain larger or smaller, depending on the amount of traffic you get, and ID collisions you expect
- Authenticate and encrypt messages for secrecy and tamper-resistance (remember that DNS is a plaintext protocol)
Copyright (c) 2020 Jesse Li