• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2018
  • September
  • 11
  • PacketWhisper Exfiltration Toolset

PacketWhisper Exfiltration Toolset

September 11, 2018July 27, 2019 Comments Off on PacketWhisper Exfiltration Toolset
cloakify toolset packetwhisperer

PacketWhisper – Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains

Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.


Traditional DNS exfiltration relies on one of the following: DNS tunneling; Hiding data in DNS query fields; or Encoded / encrypted payloads that are broken up and used as subdomains in the DNS query. All of these methods require that the attacker control a domain and/or an associated DNS Name Server to receive the data, which leads to attribution. Those approaches are also vulnerable to DNS Name Server blacklisting (common) and whitelisting (increasingly common). Another problem is that DFIR analysts are familiar with these methods, and SIEM systems will often detect and alert on seeing them.

PacketWhisper overcomes these limitations.

What if data could be transferred using the target’s own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or to a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration?

 

How It Works

To make it all happen, PacketWhisper combines DNS queries with text-based steganography. Leveraging the Cloakify Toolset, it transforms the payload into a list of FQDN strings. PacketWhisper then uses the list of FQDNs to create sequential DNS queries, transferring the payload across (or within) network boundaries, with the data hidden in plain sight, and without the two systems ever directly connecting to a each other or to a common endpoint. The ciphers used by PacketWhisper provide multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts.

To receive the data, you capture the network traffic containing the DNS queries, using whatever method is most convenient for you. (See “Capturing The PCAP File” below for examples of capture points.) You then load the captured PCAP file into PacketWhisper (running on whatever system is convenient), which extracts the payload from the file and Decloakifies it into its original form.

DNS is an attractive protocol to use because, even though it’s a relatively slow means of transferring data, DNS is almost always allowed across network boundaries, even on the most sensitive networks.

Important note: We’re using DNS queries to transfer the data, not successful DNS lookups. PacketWhisper never needs to successfully resolve any of its DNS queries. In fact PacketWhisper doesn’t even look at the DNS responses. This expands our use cases, and underscores the fact that we never need to control a domain we’re querying for, never need to control a DNS Name Server handling DNS requests.

 

Limitations / Use Notes

Be sure your PCAP file is actually PCAP format. If you used tcpdump or WinDump to capture the file you’ll be fine. Wireshark however offers a wide variety of “Save As…” options for saving Wireshark traffic, only one of which is actually tcpdump/PCAP friendly. I’m working on better error reporting to help catch mistakes early.

Not a secure encryption scheme. PacketWhisper is not a secure encryption scheme. It’s vulnerable to frequency analysis attacks. Use the ‘Unique Random Subdomain FQDNs’ category of ciphers to add entropy and help degrade frequency analysis attacks. If payload secrecy is required, be sure to encrypt the payload before using PacketWhisper to process it.

Not a high-bandwidth transfer method. PacketWhisper relies on DNS queries, which are UDP-based, meaning order of delivery (or even successful delivery) of the request is not guaranteed. PacketWhisper by default adds a small (1/2-second) delay between each DNS query. You can safely transfer payloads at a rate of about 7.2K per hour (120 bytes per minute). That’s based on the size of the original payload, not the Cloakified output file. You can opt for no delay between between queries, which dramatically speeds up the transfer but at the risk of increased network noise and corrupted payload.

And let’s face it, if you have non-DNS modes of data transfer available, you can just use the main Cloakify Toolset project to hide the file in plain sight (maybe turn the payload into a list of PokemonGo monsters w/ LatLon coordinates) and use all that high bandwidth available via FTP/HTTP/etc. DNS is extremely useful when other protocols are blocked, but always be aware of your options.

DNS is DNS. Different OS’s have different DNS caching policies, etc. Networks may be down, isolated, etc. PacketWhisper includes a quick manual check to see if it can resolve common FQDNs, but DNS is often a messy business. Remember the old IT troubleshooting mantra: “It’s always DNS.”

 

Requires

  1. Python 2.7.x (3.6.x port is underway)
  2. For decoding payloads: tcpdump (included on Linux & MacOS) or WinDump (Windows)

 

PacketWhisper Exfiltration Toolset presentation

PacketWhisper Exfiltration Toolset Download

Post navigation

Web Traffic Generator – A quick and dirty HTTP/S “organic” traffic generator.
Amass – Subdomain Enumeration Tool

Related Articles

DefaScan: Defacement Scan and Alert

DefaScan: Defacement Scan and Alert

- Hack Tools
February 2, 2023
curio: finds risks and vulnerabilities in your code

curio: finds risks and vulnerabilities in your code

- Hack Tools
February 1, 2023
Monomorph - MD5-Monomorphic Shellcode Packer - All Payloads Have The Same MD5 Hash

Monomorph – MD5-Monomorphic Shellcode Packer – All Payloads Have The Same MD5 Hash

- Hack Tools
February 1, 2023
hacker gadgets
hacker phone covers

Recent Posts

DefaScan: Defacement Scan and Alert

DefaScan: Defacement Scan and Alert

February 2, 2023
curio: finds risks and vulnerabilities in your code

curio: finds risks and vulnerabilities in your code

February 1, 2023
Monomorph - MD5-Monomorphic Shellcode Packer - All Payloads Have The Same MD5 Hash

Monomorph – MD5-Monomorphic Shellcode Packer – All Payloads Have The Same MD5 Hash

February 1, 2023
A Guide to Crypto Self-Custody

A Guide to Crypto Self-Custody

February 1, 2023
CVE-2023-23924: Critical-Severity RCE Flaw Found in Popular Dompdf Library

CVE-2023-23924: Critical-Severity RCE Flaw Found in Popular Dompdf Library

February 1, 2023
wa-tunnel: TCP Tunneling through Whatsapp

wa-tunnel: TCP Tunneling through Whatsapp

February 1, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW