This repository documents a DNS tunneling over DoH scenario written in DACA configuration language and the generated datasets it creates. Samples can be used for detection tuning or for educational purposes.
This dataset was created as part of Master thesis work at TalTech.
To reproduce the generated datasets, follow these instructions:
# 1. Install Vagrant and VirtualBox
# 2. Install Vagrant modules
vagrant plugin install vagrant-vbguest
vagrant plugin install vagrant-scp
# 3A Start and stop the VMs of a single dataset, data collection will follow automatically.
cd directory/with/Vagrantfile
vagrant up
vagrant halt
# 3B Alternatively generate and run and recreate all datasets in the scenario.
pip3 install pipenv
git clone [email protected]:Korving-F/DACA.git
cd DACA
pipenv install
python3 daca.py run -d data/ --path /path/to/scenario_file.yaml
- C2 Application Layer Protocol: DNS - T1071.004
- C2 Protocol Tunneling - T1572
- Exfiltration Over Alternative Protocol - T1048
Used DNS Tunneling software: IODINE / DNS2TCP / DNSTT
Used DoH Server/Client: DNS-over-HTTPS with NGINX as a TLS termination proxy.
Collected data within this repository comes in a variety of formats:
- .log - Flatfiles containing query logs as produced by the DoH Server and Webserver.
- .json - Same flatfiles but then relayed by Filebeat. This allows for post-hoc ingestion into an elasticsearch cluster.
- .cast - asciinema recordings of attacker's perspective. Replay by issuing:
asciinema play *.cast
. - .pcap - Standard packet capture looking at traffic on ports:
- UDP 53 - DNS traffic from DoH proxy to tunnel server
- TCP 443 - DoH HTTPS traffic from client to DoH server
- TCP 8053 - HTTP after TLS termination
Two additional directories can be found:
- suricata - Contains Suricata logs produced from the pcap.
See alsosuricata-logging.bash
andsuricata.yaml
. - ja3 - Exported JA3 signatures using a Wireshark JA3 plugin.
See also the following commands and/or the twoja3
scripts placed in the root of this repository.tshark -r filename.pcap -Y tls.handshake.type==1 -T fields -e ja3.hash tshark -r filename.pcap -Y tls.handshake.type==2 -T fields -e ja3s.hash
Fig 1: DNS Tunnel over DoH high-level overview. Encoded/encrypted DNS queries establish a communications channel over HTTPS.
Fig 2: Overview on how the DNS Tunnels over DoH are simulated and allow for C2 / data transfers.
Fig 3: Runthrough of the VM Creation, Provisioning, Data Generation and Acquisition process using IaC / DevOps tooling.
DOH SERVER | AUTOMATION LEVEL | DNS RECORD TYPE | ENCODING | PASSPHRASE | LINK | DATA LINK |
---|---|---|---|---|---|---|
DNS-over-HTTPS | Fully Automated | CNAME | BASE64 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | CNAME | RAW | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | CNAME | BASE32 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | CNAME | BASE128 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | MX | BASE128 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | MX | BASE64 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | MX | BASE32 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | MX | RAW | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | NULL | RAW | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | NULL | BASE64 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | NULL | BASE32 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | NULL | BASE128 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | PRIVATE | RAW | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | PRIVATE | BASE128 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | PRIVATE | BASE64 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | PRIVATE | BASE32 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | SRV | RAW | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | SRV | BASE32 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | SRV | BASE128 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | SRV | BASE64 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | TXT | BASE32 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | TXT | BASE128 | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | TXT | RAW | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | TXT | BASE64 | 0xDEADBEEF | Scenario files | Data files |
DOH SERVER | AUTOMATION LEVEL | DNS RECORD TYPE | COMPRESSION | PASSPHRASE | LINK | DATA LINK |
---|---|---|---|---|---|---|
DNS-over-HTTPS | Fully Automated | KEY | YES | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | KEY | NO | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | TXT | YES | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | TXT | NO | 0xDEADBEEF | Scenario files | Data files |
DOH SERVER | AUTOMATION LEVEL | TLS FINGERPRINT | LINK | DATA LINK |
---|---|---|---|---|
DNS-over-HTTPS | Fully Automated | Chrome | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Chrome_58 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Chrome_62 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Chrome_70 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Chrome_72 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Chrome_83 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Firefox | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Firefox_55 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Firefox_56 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Firefox_63 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | Firefox_65 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | iOS | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | iOS_11_1 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | iOS_12_1 | Scenario files | Data files |
DNS-over-HTTPS | Fully Automated | none | Scenario files | Data files |
DOH SERVER | AUTOMATION LEVEL | DNS RECORD TYPE | COMPRESSION | PASSPHRASE | LINK | DATA LINK |
---|---|---|---|---|---|---|
DNS-over-HTTPS | Partly Manual | KEY | NO | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | KEY | YES | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | TXT | YES | 0xDEADBEEF | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | TXT | NO | 0xDEADBEEF | Scenario files | Data files |
DOH SERVER | AUTOMATION LEVEL | TLS FINGERPRINT | LINK | DATA LINK |
---|---|---|---|---|
DNS-over-HTTPS | Partly Manual | Chrome | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Chrome_58 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Chrome_62 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Chrome_70 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Chrome_72 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Chrome_83 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Firefox | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Firefox_55 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Firefox_56 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Firefox_63 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | Firefox_65 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | iOS | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | iOS_11_1 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | iOS_12_1 | Scenario files | Data files |
DNS-over-HTTPS | Partly Manual | none | Scenario files | Data files |
DACA is licensed under the MIT license. Copyright © 2022, Frank Korving