Hello, welcome to the Wednesday, July 27th, 2016 edition of the Santernet Storm Center's

Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Usually when I'm teaching our intrusion detection in-depth class, SEC 503, I demonstrate some data exfiltration via DNS. Now, typically, in order to then retrieve

additional commands, I'm using text records. That's what most people do in a case like this.

But of course, the problem with text records is that they're not all that usual and are a bit more noisy than it could be.

Well, last time in a demo of the script I sort of got the idea that I could also do that via quad A records instead of text records.

Quad A records return IPV6 addresses.

Of course, there I have 16 bytes of hexadecimal data that can then easily be converted back into a shelf script on the receiving end.

So today I wrote up a little diary around this with scripts that allow you to upload a script into a

DNS server as quad A records and then to retrieve it from the compromised host again

using shell tools like dig in all and then convert the hexadecimal output into the shell command,

that in turn, exfeltrates Zeta back to the DNS server via standard A queries.

Pretty neat script, so if you need it for a pen test or so,

let me know how it works for you.

From a defensive point of view, of course,

just like any covert channel, you do

want to look at anomalies like why is a certain server looking up so many DNS records that

should raise an alert. And Microsoft announced that it will unify its different mobile

authenticator offerings.

Right now Microsoft has two different authenticators, one for your Microsoft account when you

log in on a website.

...