Monthly Archives: January 2015

Bash data exfiltration through DNS (using bash builtin functions)

After gaining ‘blind’ command execution access to a compromised Linux host, data exfiltration can be difficult when the system ibinbash2s protected by a firewall. Sometimes these firewalls prevent the compromised host to establish connections to the internet. In these cases, data exfiltration through the DNS-protocol can be useful. In a lot of cases DNS-queries are not blocked by a firewall.  I’ve had a real life situation like this, which i will describe later on.

There are several oneliners on the internet available to exfiltrate command output through DNS. However, i noticed that these are using Linux applications (xxd, od, hexdump, etc), which are not always present on a minimalistic target system. I decided to create a oneliner, which is only using Bash builtin functionalities. The oneliner can be used whenever command execution is possible and Bash is installed on the compromised system.

Continue reading