The Hacker Mindset: DNS as a Full C&C Channel (and crazy ideas)

This is a pretty good example of “the hacker mindset” at work…

DNS is normally a very boring protocol. It’s not meant to let two particular computers communicate: it acts as a distributed directory, letting one computer query the world and find out that “” should be translated to to “”.

One clever (white-hat) attacker figured out a way to use this seemingly innocuous service to let a hacked computer communicate with the hacker, even when all communication’s been seemingly blocked. Generally, though the “meaty” services like web browsing might be heavily filtered and scrutinized, DNS is often ignored. This presents an opportunity.

If the hacker owns the domain name, the hacker can decide that a particular computer is the authoritative nameserver for the “” subdomain. Any requests from anywhere on the internet for e.g “” will get directed to the computer the hacker has designated as the nameserver.

That nameserver can in turn reply to those requests with whatever it likes, up to 255 bytes in a so-called “TXT record.”

Therefore, the hacked computer only needs to pretend it wants to visit “,” and the Internet will cheerily forward the notice on to the hacker’s computer, which now replies, “glad to hear it, here’s what to do…” (except in machine code)

It’s even possible for the hacker’s computer to transmit a file this way, only with a limit of 255 bytes per packet it takes quite a while and creates rather a lot of extraneous traffic.

Speaking of crazy exfiltration methods, there’s this guy sitting in a Moscow airport… here’s my ideas on what he could do. Feel free to add your own.

* Build a biological 3D printer in Ecuador/Iceland and exfiltrate via DNS.

* Get safe passage to St. Petersburg, fly in Moxie Marlinspike, charter a yacht, and get it declared a temporary part of the Ecuadorean/Venezuelan/Icelandic navy. Disadvantages: arrests have been made in international waters before and upheld by courts, so the foreign naval status would be the only defense.

* Jet charter from Sheremetyevo, loaded with enough journalists to discourage mid-air attack, and either paid for by random Icelandic hosting firm or by selling seats to the world media. Disadvantages: having to give interviews for 12 hours straight would be taxing even for a professional celebrity, much less someone who can count on their every word being probed for avenues of attack.

* Very large suitcase, the heated and pressurized cargo area of a modern jet, and complicity from the Sheremetyevo baggage handlers. Disadvantage: fails the Kerckhoff test, so might as well —

* Reunite with and take the risk of a forced landing and a willingness to invade Russian territory. (Aeroflot jets are Russian territory under Russian law, and with the current war of words one might guess they would be defended as such!) Disadvantages: requires a flight over Colombia, and (possibly also an advantage) virtually guarantees infine news media attention en route.

* Find Ford Prefect and borrow an Electronic Thumb, or otherwise figure out how to hitch a ride on a UFO.

“Many networks are like sieves. A reverse TCP payload or an HTTP/S connection is all it takes to get out. Once in a while, you have to whip out the kung-fu to escape a network. For these situations, DNS is a tempting option. If a system can resolve a hostname, then that host can communicate with you.

Unfortunately for penetration testers, our options to exfiltrate data and control a payload with DNS are… limited. Well, until today. Cobalt Strike users now have the ability to control Beacon, entirely over DNS.[…]

As tempting as DNS is, it’s not without its drawbacks. Communication over DNS is slower than other options. It’s also difficult to graft a communication protocol on top of DNS in a non-obvious way. Seemingly small data transfers require many DNS requests to complete. In short–if someone looks closely enough, they’ll see you. I’ve always wanted the ability to control a system with DNS, but only when I need it. If another protocol makes sense, I’d prefer to use that instead.”

%d bloggers like this: