Escaping from isolated networks using Broadcast DNS (opens in new tab)

(medium.com)

38 pointsjviide2y ago2 comments

2 comments

I'm not familiar with broadcast DNS. Does this purely result in an exfiltration capability or is there the possibility of a return channel as well?

oherrala2y ago

Greetings from SensorFu and thanks for a good question! Sending DNS query via broadcast is a hack to escape from isolated environments and it takes advantage of operating system IP-stack's shortcomings. Since this is probably not conforming to any specifications anything could happen.

I'd say return channel might work and it depends on the device used to exfiltrate out. In case of proper DNS server like Active Directory mentioned in the article it's likely that it could work. But we have not yet done testing.

We have also seen devices that are not DNS servers and still just forward broadcast packets from one network interface to another. In such case the return channel might not be possible.

1 more reply

j / k navigate · click thread line to collapse

2 comments

phyzome2y ago

I'm not familiar with broadcast DNS. Does this purely result in an exfiltration capability or is there the possibility of a return channel as well?

oherrala2y ago

We have also seen devices that are not DNS servers and still just forward broadcast packets from one network interface to another. In such case the return channel might not be possible.

1 more reply

j / k navigate · click thread line to collapse