Skip to content

Latest commit

 

History

History
249 lines (218 loc) · 38.9 KB

README.md

File metadata and controls

249 lines (218 loc) · 38.9 KB

DNS Tunneling Dataset

License MIT GitHub release (latest by date) ICCWS Paper

Table of Contents

Introduction

This repository documents a DNS tunneling scenario written in DACA configuration language and the generated datasets it creates. Samples can be used for detection tuning or for educational purposes.

This dataset was created as part of Master thesis work at TalTech.

To reproduce the generated datasets, follow these instructions:

# 1. Install Vagrant and VirtualBox

# 2. Install Vagrant modules
vagrant plugin install vagrant-vbguest
vagrant plugin install vagrant-scp

# 3A Start and stop the VMs of a single dataset, data collection will follow automatically.
cd directory/with/Vagrantfile
vagrant up
vagrant halt

# 3B Alternatively generate and run and recreate all datasets in the scenario.
pip3 install pipenv
git clone git@github.com:Korving-F/DACA.git
cd DACA
pipenv install

python3 daca.py run -d data/ --path /path/to/scenario_file.yaml

MITRE ATT&CK

Scenario

Used DNS Tunneling software: IODINE / DNS2TCP / DNSCAT

Used DNS Servers: BIND 9 / CoreDNS / Dnsmasq / PowerDNS

Consume Datasets

Collected data within this repository comes in a variety of formats:

  • .log - Flatfiles containing query logs as produced by the DNS Server.
  • .json - Same flatfiles but then relayed by Filebeat. This allows for post-hoc ingestion into an elasticsearch cluster.
  • .cast - asciinema recordings of attacker's perspective. Replay by issuing: asciinema play *.cast.
  • .pcap - Standard packet capture looking at traffic on port 53.

Architecture

Fig 1: DNS Tunnel high-level overview. Encoded/encrypted DNS queries establish a communications channel.



Fig 2: Overview on how the DNS Tunnels are simulated and allow for C2 / data transfers.



Fig 3: Runthrough of the VM Creation, Provisioning, Data Generation and Acquisition process using IaC / DevOps tooling.


Datasets

File transfer over DNS Tunnel

IODINE

DNS SERVER AUTOMATION LEVEL DNS RECORD TYPE ENCODING PASSPHRASE LINK DATA LINK
BIND9 Fully Automated CNAME BASE64 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated CNAME RAW 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated CNAME BASE128 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated CNAME BASE32 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated MX BASE64 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated MX BASE128 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated MX RAW 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated MX BASE32 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated NULL BASE64 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated NULL BASE32 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated NULL BASE128 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated NULL RAW 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated PRIVATE RAW 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated PRIVATE BASE32 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated PRIVATE BASE64 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated PRIVATE BASE128 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated SRV BASE32 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated SRV RAW 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated SRV BASE64 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated SRV BASE128 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated TXT BASE32 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated TXT BASE64 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated TXT BASE128 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated TXT RAW 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated CNAME RAW 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated CNAME BASE64 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated CNAME BASE32 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated CNAME BASE128 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated MX BASE128 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated MX BASE32 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated MX RAW 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated MX BASE64 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated NULL BASE128 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated NULL BASE32 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated NULL BASE64 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated NULL RAW 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated PRIVATE RAW 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated PRIVATE BASE64 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated PRIVATE BASE128 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated PRIVATE BASE32 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated SRV RAW 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated SRV BASE64 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated SRV BASE128 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated SRV BASE32 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated TXT RAW 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated TXT BASE32 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated TXT BASE128 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated TXT BASE64 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated CNAME RAW 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated CNAME BASE64 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated CNAME BASE32 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated CNAME BASE128 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated MX BASE32 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated MX RAW 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated MX BASE128 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated MX BASE64 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated NULL RAW 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated NULL BASE32 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated NULL BASE128 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated NULL BASE64 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated PRIVATE BASE32 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated PRIVATE BASE64 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated PRIVATE RAW 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated PRIVATE BASE128 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated SRV BASE32 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated SRV BASE128 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated SRV BASE64 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated SRV RAW 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated TXT BASE32 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated TXT BASE128 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated TXT RAW 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated TXT BASE64 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated CNAME RAW 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated CNAME BASE32 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated CNAME BASE64 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated CNAME BASE128 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated MX BASE128 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated MX BASE32 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated MX BASE64 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated MX RAW 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated NULL RAW 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated NULL BASE128 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated NULL BASE64 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated NULL BASE32 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated PRIVATE BASE128 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated PRIVATE RAW 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated PRIVATE BASE32 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated PRIVATE BASE64 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated SRV BASE64 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated SRV RAW 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated SRV BASE32 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated SRV BASE128 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated TXT BASE64 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated TXT BASE128 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated TXT RAW 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated TXT BASE32 0xDEADBEEF Scenario files Data files

DNS2TCP

DNS SERVER AUTOMATION LEVEL DNS RECORD TYPE COMPRESSION PASSPHRASE LINK DATA LINK
BIND9 Fully Automated KEY YES 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated KEY NO 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated TXT YES 0xDEADBEEF Scenario files Data files
BIND9 Fully Automated TXT NO 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated KEY YES 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated KEY NO 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated TXT YES 0xDEADBEEF Scenario files Data files
COREDNS Fully Automated TXT NO 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated KEY YES 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated KEY NO 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated TXT NO 0xDEADBEEF Scenario files Data files
DNSMASQ Fully Automated TXT YES 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated KEY NO 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated KEY YES 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated TXT NO 0xDEADBEEF Scenario files Data files
POWERDNS Fully Automated TXT YES 0xDEADBEEF Scenario files Data files

DNSCAT

DNS SERVER AUTOMATION LEVEL DNS RECORD TYPE LINK DATA LINK
BIND9 Partly Manual TXT,CNAME,MX Scenario files Data files
COREDNS Partly Manual TXT,CNAME,MX Scenario files Data files
DNSMASQ Partly Manual TXT,CNAME,MX Scenario files Data files
POWERDNS Partly Manual TXT,CNAME,MX Scenario files Data files

C2 over DNS Tunnel

DNS2TCP

DNS SERVER AUTOMATION LEVEL DNS RECORD TYPE COMPRESSION PASSPHRASE LINK DATA LINK
BIND9 Partly Manual KEY NO 0xDEADBEEF Scenario files Data files
BIND9 Partly Manual KEY YES 0xDEADBEEF Scenario files Data files
BIND9 Partly Manual TXT YES 0xDEADBEEF Scenario files Data files
BIND9 Partly Manual TXT NO 0xDEADBEEF Scenario files Data files
COREDNS Partly Manual KEY YES 0xDEADBEEF Scenario files Data files
COREDNS Partly Manual KEY NO 0xDEADBEEF Scenario files Data files
COREDNS Partly Manual TXT YES 0xDEADBEEF Scenario files Data files
COREDNS Partly Manual TXT NO 0xDEADBEEF Scenario files Data files
DNSMASQ Partly Manual KEY NO 0xDEADBEEF Scenario files Data files
DNSMASQ Partly Manual KEY YES 0xDEADBEEF Scenario files Data files
DNSMASQ Partly Manual TXT NO 0xDEADBEEF Scenario files Data files
DNSMASQ Partly Manual TXT YES 0xDEADBEEF Scenario files Data files
POWERDNS Partly Manual KEY YES 0xDEADBEEF Scenario files Data files
POWERDNS Partly Manual KEY NO 0xDEADBEEF Scenario files Data files
POWERDNS Partly Manual TXT NO 0xDEADBEEF Scenario files Data files
POWERDNS Partly Manual TXT YES 0xDEADBEEF Scenario files Data files

DNSCAT

DNS SERVER AUTOMATION LEVEL DNS RECORD TYPE LINK DATA LINK
BIND9 Partly Manual TXT,CNAME,MX Scenario files Data files
COREDNS Partly Manual TXT,CNAME,MX Scenario files Data files
DNSMASQ Partly Manual TXT,CNAME,MX Scenario files Data files
POWERDNS Partly Manual TXT,CNAME,MX Scenario files Data files

License

DACA is licensed under the MIT license.
Copyright © 2022, Frank Korving