Skip to content

Korving-F/doh-tunnel-dataset

Repository files navigation

DoH Tunneling Dataset

License MIT GitHub release (latest by date) ICCWS Paper

Table of Contents

Introduction

This repository documents a DNS tunneling over DoH scenario written in DACA configuration language and the generated datasets it creates. Samples can be used for detection tuning or for educational purposes.

This dataset was created as part of Master thesis work at TalTech.

To reproduce the generated datasets, follow these instructions:

# 1. Install Vagrant and VirtualBox

# 2. Install Vagrant modules
vagrant plugin install vagrant-vbguest
vagrant plugin install vagrant-scp

# 3A Start and stop the VMs of a single dataset, data collection will follow automatically.
cd directory/with/Vagrantfile
vagrant up
vagrant halt

# 3B Alternatively generate and run and recreate all datasets in the scenario.
pip3 install pipenv
git clone [email protected]:Korving-F/DACA.git
cd DACA
pipenv install

python3 daca.py run -d data/ --path /path/to/scenario_file.yaml

MITRE ATT&CK

Scenario

Used DNS Tunneling software: IODINE / DNS2TCP / DNSTT

Used DoH Server/Client: DNS-over-HTTPS with NGINX as a TLS termination proxy.

Consume Datasets

Collected data within this repository comes in a variety of formats:

  • .log - Flatfiles containing query logs as produced by the DoH Server and Webserver.
  • .json - Same flatfiles but then relayed by Filebeat. This allows for post-hoc ingestion into an elasticsearch cluster.
  • .cast - asciinema recordings of attacker's perspective. Replay by issuing: asciinema play *.cast.
  • .pcap - Standard packet capture looking at traffic on ports:
    • UDP 53 - DNS traffic from DoH proxy to tunnel server
    • TCP 443 - DoH HTTPS traffic from client to DoH server
    • TCP 8053 - HTTP after TLS termination

Two additional directories can be found:

  • suricata - Contains Suricata logs produced from the pcap.
    See also suricata-logging.bash and suricata.yaml.
  • ja3 - Exported JA3 signatures using a Wireshark JA3 plugin.
    See also the following commands and/or the two ja3 scripts placed in the root of this repository.
    tshark -r filename.pcap -Y tls.handshake.type==1 -T fields -e ja3.hash
    tshark -r filename.pcap -Y tls.handshake.type==2 -T fields -e ja3s.hash

Architecture

Fig 1: DNS Tunnel over DoH high-level overview. Encoded/encrypted DNS queries establish a communications channel over HTTPS.



Fig 2: Overview on how the DNS Tunnels over DoH are simulated and allow for C2 / data transfers.



Fig 3: Runthrough of the VM Creation, Provisioning, Data Generation and Acquisition process using IaC / DevOps tooling.


Datasets

File transfer over DoH Tunnel

IODINE

DOH SERVER AUTOMATION LEVEL DNS RECORD TYPE ENCODING PASSPHRASE LINK DATA LINK
DNS-over-HTTPS Fully Automated CNAME BASE64 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated CNAME RAW 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated CNAME BASE32 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated CNAME BASE128 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated MX BASE128 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated MX BASE64 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated MX BASE32 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated MX RAW 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated NULL RAW 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated NULL BASE64 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated NULL BASE32 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated NULL BASE128 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated PRIVATE RAW 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated PRIVATE BASE128 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated PRIVATE BASE64 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated PRIVATE BASE32 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated SRV RAW 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated SRV BASE32 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated SRV BASE128 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated SRV BASE64 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated TXT BASE32 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated TXT BASE128 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated TXT RAW 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated TXT BASE64 0xDEADBEEF Scenario files Data files

DNS2TCP

DOH SERVER AUTOMATION LEVEL DNS RECORD TYPE COMPRESSION PASSPHRASE LINK DATA LINK
DNS-over-HTTPS Fully Automated KEY YES 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated KEY NO 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated TXT YES 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Fully Automated TXT NO 0xDEADBEEF Scenario files Data files

DNSTT

DOH SERVER AUTOMATION LEVEL TLS FINGERPRINT LINK DATA LINK
DNS-over-HTTPS Fully Automated Chrome Scenario files Data files
DNS-over-HTTPS Fully Automated Chrome_58 Scenario files Data files
DNS-over-HTTPS Fully Automated Chrome_62 Scenario files Data files
DNS-over-HTTPS Fully Automated Chrome_70 Scenario files Data files
DNS-over-HTTPS Fully Automated Chrome_72 Scenario files Data files
DNS-over-HTTPS Fully Automated Chrome_83 Scenario files Data files
DNS-over-HTTPS Fully Automated Firefox Scenario files Data files
DNS-over-HTTPS Fully Automated Firefox_55 Scenario files Data files
DNS-over-HTTPS Fully Automated Firefox_56 Scenario files Data files
DNS-over-HTTPS Fully Automated Firefox_63 Scenario files Data files
DNS-over-HTTPS Fully Automated Firefox_65 Scenario files Data files
DNS-over-HTTPS Fully Automated iOS Scenario files Data files
DNS-over-HTTPS Fully Automated iOS_11_1 Scenario files Data files
DNS-over-HTTPS Fully Automated iOS_12_1 Scenario files Data files
DNS-over-HTTPS Fully Automated none Scenario files Data files

C2 over DoH Tunnel

DNS2TCP

DOH SERVER AUTOMATION LEVEL DNS RECORD TYPE COMPRESSION PASSPHRASE LINK DATA LINK
DNS-over-HTTPS Partly Manual KEY NO 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Partly Manual KEY YES 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Partly Manual TXT YES 0xDEADBEEF Scenario files Data files
DNS-over-HTTPS Partly Manual TXT NO 0xDEADBEEF Scenario files Data files

DNSTT

DOH SERVER AUTOMATION LEVEL TLS FINGERPRINT LINK DATA LINK
DNS-over-HTTPS Partly Manual Chrome Scenario files Data files
DNS-over-HTTPS Partly Manual Chrome_58 Scenario files Data files
DNS-over-HTTPS Partly Manual Chrome_62 Scenario files Data files
DNS-over-HTTPS Partly Manual Chrome_70 Scenario files Data files
DNS-over-HTTPS Partly Manual Chrome_72 Scenario files Data files
DNS-over-HTTPS Partly Manual Chrome_83 Scenario files Data files
DNS-over-HTTPS Partly Manual Firefox Scenario files Data files
DNS-over-HTTPS Partly Manual Firefox_55 Scenario files Data files
DNS-over-HTTPS Partly Manual Firefox_56 Scenario files Data files
DNS-over-HTTPS Partly Manual Firefox_63 Scenario files Data files
DNS-over-HTTPS Partly Manual Firefox_65 Scenario files Data files
DNS-over-HTTPS Partly Manual iOS Scenario files Data files
DNS-over-HTTPS Partly Manual iOS_11_1 Scenario files Data files
DNS-over-HTTPS Partly Manual iOS_12_1 Scenario files Data files
DNS-over-HTTPS Partly Manual none Scenario files Data files

License

DACA is licensed under the MIT license. Copyright © 2022, Frank Korving