DETECTING DNS TUNNELLING WITH WIRESHARK
In Today we will discuss the detecting DNS tunnel over network. An analyst has many way for inspecting network traffic. First off all an analayst may not be collect all network pcap traffic at all times but central sesors collects the logs and sends the logs to the central log servers. In other words analyst can mirror the traffic and send it OSSEC for analyzing the traffic via Suricata or Bro. In this post I use wireshark for analaysing a dns tunnel. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
First I want to give a basic information abaout dns tunnel;
According to cyber kill chain, actions on objective step of the cyber attacks, attackers exfilitrate data with various ways like DNS tunnel, SSL Tunnel, ICMP Tunnel, SSH tunnel. In DNS tunnel Method attacker sets up a server for getting DNS queries and responding it and puts a malicious program to the client for continuous DNS queries to the malicious server. Iodine or dnscat can be used for generating dnstunnel. Ok lets clarify this issue;
In this picture attacker creates a dns tunnel for bypassing firewall and perimeter security measures. First he uploads iodine client to the victem and sets up iodine server in the Kali. Iodine server waits for dns queries for establishing a tunnel and iodine client sends continously dns request with different subdomains because DNS caching mechanism cached the same dns resposes which is sended by Kali. So client program creates randomly and long string subdomains for not being cached in dns cahche and make possible to data exfiltarion inside the DNS Tunnel.
Below, I created a tunnel with dnscat2 and save it for analyzing it wireshark. For filtering dnscat traffic we can use dns contains dnscat2 filter but an attacker can easily change this domain so it’s not the real solution but I wrote a filter like this;
dns.qry.name.len > 15 and !mdns
15 is not a constant value and I just filtered the subdomain queries which length is greater than 15.
If you notice the traffic you can see the long string subdomains continiously. It generates different subdomains for being keep alive with C2C. So If you see this case on your network you start with traffic analysing as a part of incident response.
