SharpDNSExfil: exfiltration tool written in C#
SharpDNSExfil
SharpDNSExfil is an exfiltration tool written in C#. The main objective is to exfiltrate any “on disk” files without having to worry about restricted outbound connections.
Prerequisite
- The remote machine should be able to resolve DNS
Why did I do this?
I got blind RCE during my engagement and it turns out the remote machine has firewall protection which doesn’t allow outbound connection and gave me a hard time to get a reverse connection. The good thing is, the DNS server can resolve public domains and be able to reach me through DNS. The thing is I still couldn’t get a reverse shell, I could read some small outputs, but no Bueno. So I had an idea to automate the process through just DNS and recurse all the steps, and it’s finally working!
CAVEAT: The whole process has just been tested through a custom public DNS Server but hasn’t been fully tested in real corporate environment. So use it at your own risk!
Before encryption
After encryption
OPSEC Consideration
SharpDNSExfil steps and processes are to be executed all in-memory without touching the disk to avoid leaving rubbish during an engagement. SharpDNSExfil will inform each and every steps or process that it does in the background with –verbose option. Each sent bytes are XOR encoded and the key will further be encrypted with asymmetric encryption to avoid plain text key in network traffic. Be extra careful and always take notes and do cleanup on the client’s property.
