 Hello, DDS Stevens here with the sixth video on my DNS resolver tool where we look at the exfiltration command. So let's take the man page. Okay, here you have the exfiltration command, the type is exfiltration, it takes a label like all the other commands and an optional answer. Like here in the example, you can see that an possible answer is to return an internet a address 127 001, so localhost. So let's run this. So type is exfiltration and the label, let's say data leak, and I'm not going to provide an answer. So if I do DNS queries to a data leak label, then I will get no domain. Okay. So this is running. Now let's look how we need to format our queries to exfiltrate data. And that is also explained in the man page. Okay, here you have this. So here you see data leak example.com. And this is exadismal data that you will need to send to send data to the DNS server so it can keep this and write it to disk. So it is formatted as follows. So you have exadismal digits here, separated by dots. So these are different labels and they are also all big Indian. So the first one here is two bytes. And this is the file number. So in this example here, we are working with file number zero. And here you have in again in exadismal four bytes, the size of the file, we are going to exfiltrate. And then here we will write data. So first of all, we tell the position where we are going to write. So here position zero. And then the number of bytes we are going to write here for exadismal bytes. And so you repeat this command several times to exfiltrate data. I do this with the VBA code that I have in Excel spreadsheet. But here I'm going to show you how to do this manually. And then you can develop your own script in any language that you want. And once you have written all the data, then you close the file. And at that moment, my DNS resolver will write the file to disk. You close the file just by giving the file number and then a file size of zero and then data leak at the label and this will close the file. So let's try this out. So we have no folder here, sorry, no file here. So DNS lookup of type A. And so we are going to number this file zero and let's say 16 bytes. So like in the example, 0, 0, 0, 0, 0, 1, 0, so that's 16 bytes. And at position zero, I will write 10 bytes. First I will write 10 bytes. So that's zero A. And I will write the digits from zero to nine. So in exadismal, that is three, zero, that is the zero, three, one, that's a one and so on like this. And then the label data leak. And then anything we want. And since I'm showing this locally, I'm directing this to my local host, this query like this. This was received. We get a non-existing domain because I did not provide an answer. And if we do a dir here, you see that a file was already created. We can do a type. Let me... And here you can already see the data that I sent. Now you can see that the file is already 16 bytes long, although that here we can only see 10 bytes. Now I'm going to write the remaining six bytes. And this will be letters A through F. So I'm going to write six bytes, I'm sorry, that doesn't change, that's the size of the file. I'm going now to write that position A, so position 10. And I'm going to write six bytes. And I will write the letters A through F, capital, so 41, 42, 43, 44, 45, 46, like this. And then let me close the file because I've exfiltrated everything that I wanted. Length zero, let's close the file and here data leak. And I direct this locally, file is closed. And now if I do a type of data leak here we have the data that we uploaded in two parts. Now with my spreadsheet I have uploaded files of a couple of megabytes, zip containers. This works but of course it took quite some time, 10 to 20 minutes, I think it took, but it worked. And also you have to watch out here. When you use this as a proof of concept for example, there is no input validation of security at all here. If someone sends you a knows about your label that you use in the format and sends you a record with here F, F, F, F, F, F, F, then it instructs the server to create a file on disk of more than four billion bytes. So this will make you a denial of service on your server. So be careful with this if you are doing this to see that you don't leak yourself the information of what you're doing or that someone is monitoring DNS and seeing what you do and inferring what you are doing and then messing with your DNS server.