PSUDP
PSUDP demonstrates passive network-wide covert communication and covert file exfiltration. While several high-bandwidth DNS tunnel implementations are freely available, they all use similar strategies. Storage channels are created in DNS requests by encoding data in subdomain labels, while responses take many forms such as TXT, NULL, and CNAME resource record types to complete the bi-directional link. However, these tunnels may be detected when examining subdomains and irregular resource records in responses. Additionally, these tunnels only provide communication through the active generation of traffic.
This is a proof of concept tool that shows how DNS traffic may be manipulated to create significantly high-bandwidth storage channels by creating slack space in legitimate DNS packets at the UDP layer. This slack space does not affect DNS resolvers/servers, and is not examined by IDS/DPI tools. The presentation shows how it is also possible to create this slack space in the middle of the DNS packet instead of simply appended to the end of the packet.
The Black Hat presentation, paper, and source code are below!
| Attachment | Size |
|---|---|
| psudp_born_slides_bh_2010.pdf | 1.13 MB |
| psudp_born_paper_bh_2010.pdf | 278.02 KB |
| psudp.tar | 100 KB |
