Techniques for Bypassing Air-Gapped Networks

Introduction

‘Air-gapped’ networks are often considered the gold standard for isolating sensitive systems from external threats. However, these networks are not as invulnerable as many assume. Attackers have developed sophisticated techniques to bypass air gaps, leveraging weaknesses in DNS communication, external media, and even electromagnetic emissions.

This blog is based on findings from the Pentera Labs Research on bypassing air-gapped networks via DNS. We will explore:

• The DNS threat landscape and its role in bypassing air-gapped networks.
• How attackers use DNS as a covert communication channel.
• Advanced techniques like Domain Generation Algorithms (DGA) for stealthy command and control (C2).
• Practical steps organizations can take to mitigate these risks.

The DNS Threat Landscape

DNS attacks are on the rise, with 88% of organizations reporting DNS-related threats in 2022 (IDC Global DNS Threat Report). Among these, DNS Tunneling has emerged as a major risk, enabling attackers to establish covert communication channels within otherwise isolated environments. In 2022 alone, DNS tunneling accounted for 28% of all DNS attacks, a 16% year-over-year increase.

DNS is particularly attractive to attackers due to its fundamental role in resolving domain names across both internet-connected and air-gapped environments.

Organizations that rely on DNS within their internal networks may unknowingly provide an entry point for sophisticated adversaries.

Furthermore, organizations implementing External Attack Surface Management can gain critical insights into exploitable weaknesses, ensuring that misconfigurations and overlooked entry points, such as DNS vulnerabilities, are proactively identified and mitigated.

How DNS-Based Attacks Work

Attackers exploit DNS in air-gapped networks by sending and receiving information through manipulated DNS queries.

Below are two common architectures of how DNS is connected to air-gapped networks:

In the second example, many organizations often make the mistake of thinking that by routing communication over an internal DNS server they are preventing a potential breach. However, they are still susceptible as the internal DNS server can still connect with a public DNS server.

Here’s how:

1. Exfiltrating Data: Attackers encode stolen data into DNS request queries and extract responses via external DNS resolvers.
2. Command Injection: Malicious actors can send encoded commands via DNS queries that are then executed on an air-gapped machine.
3. C2 Communication: Using DNS as a control mechanism, attackers maintain persistence within air-gapped environments.

DNS is a protocol used to get a record of a specific name. While there are many types of records, two are of particular interest:

• TXT – The text record of a provided name – this can be any text written by the DNS administrator.
• NS – The Name Server record of a provided name – this record basically returns the name servers that hold our provided name.

For example, we can see the AWS Name Servers hold the ‘pentera.io’ name.

It’s also important to remember that while DNS protocol can run on TCP, it is mostly based on UDP. Each protocol has a different use, but UDP does not have a built-in error-detecting mechanism, which will play a role later in this article.

• An attacker sends a DNS query formatted as whoami.pentera.io, where whoami is the encoded command.

• The compromised system receives the query and executes the command, returning results via DNS responses. In order to receive the DNS requests for any subrecords under `*.pentera.io`, attackers must have the owner rights of the pentera.io root record and create a Name Server record that points to a defined server. 
• This process effectively bypasses the air gap.

For example, we can see the AWS Name Servers hold the ‘pentera.io’ name.

There are many other examples of how DNS has been abused as a C2 channel.

Challenges for Attackers in DNS-Based Attacks

Despite its potential, communicating over DNS presents challenges:

• UDP Limitations: UDP transmits traffic most of the time, lacking a built-in error detection mechanism.
• Character Restrictions: DNS protocols only allow specific character sets, preventing direct transmission of raw data.
• Length Constraints: DNS queries and responses have strict size limitations, requiring attackers to fragment data.

Attackers circumvent these challenges using:

• Base64 encoding to ensure data is properly formatted.
• Data slicing to split payloads into multiple DNS requests.
• Error detection mechanisms to ensure reliable data transmission.

Allowed Characters in DNS Queries

Challenges Attackers Face When Communicating Over DNS

When communicating over DNS, attackers need to take a few things into account:

UDP transmits most network traffic, but it lacks a built-in error detection mechanism

• There isn’t a built-in error detection mechanism (as is found in TCP, for comparison).
• There is no control over the flow or sequence of data transmission.

Compatibility with the DNS protocol

• DNS has restrictions on the types of characters it accepts, so not all characters can be sent.
• Characters that can’t be sent are so-called, ‘bad characters.’
• There is a limit on the length of characters that can be sent.

How Attackers Can Overcome These Challenges

Below are methods that can be used to overcome the challenges outlined in the previous section in communicating over DNS:

How an Attacker Could Overcome UDP Challenges:

• Error detection: Prior to sending, compress the payload before sending and immediately decompress after receiving. This can be done with any other encoding (e.g., base64). If decompress fails, then we know an error has occurred.
• No control over the flow:
  • Notify the server of buffered packets while sending.
  • Define the expected last package to establish order.
  • A package should not be sent unless we know that the previous one successfully arrived.

How an Attacker Could Overcome DNS Protocol Challenges:

• Avoiding bad characters – Apply base64 on data sent right before sending.
• Avoiding length limits – Data is sliced into pieces and sent one by one.

How an attacker could communicate over DNS to an air-gapped network

Example of an Attacker Communicating Over DNS to an Air-Gapped Network

1. Required data sent (output of ipconfig).
2. Avoid syntax errors by compressing, obfuscating, or encrypting the message sent.
3. Avoid length limitations by slicing the messages.
4. Include required information (e.g., purpose symbol) within the package for the server to know its purpose:
5. b_ – Should be buffered.
6. f_ – Finish sending.
7. h_ – Heartbeat.
   • Send the DNS request.

• Base64 encoding to ensure data is properly formatted.
• Data slicing to split payloads into multiple DNS requests.
• Error detection mechanisms to ensure reliable data transmission.

Advanced DNS-Based C2: Domain Generation Algorithms (DGA)

To evade detection, attackers employ Domain Generation Algorithms (DGA)

, which dynamically generate domain names based on predefined patterns. This technique allows attackers to:

• Rotate C2 domains frequently, reducing the likelihood of blocking.
• Bypass static DNS filtering by using date-based or randomized domain names.
• Maintain resilient communication channels within air-gapped environments.

Example of a Simple DGA Script:

from datetime import date

today = date.today()
domain1 = today.strftime(“%d%m%Y”) + “pentera.io”
domain2 = today.strftime(“%dpentera%m%Y”) + “pentera.io”

dprint(domain1, domain2)

This script generates predictable yet ever-changing domain names, making it difficult for defenders to blacklist attacker-controlled domains.

To evade detection, an attacker may generate domain names based on variables both sides know. While the executable is not necessarily difficult, an attacker or group would need the infrastructure to continue to buy root records as we will see in the example below.

In the below example, we will use a date – December 29, 2021 – as an example. 

Attackers may configure their malware to generate a domain based on the date – at the 29/12/2021 to communicate with “29122021pentera.io” or with “29pentera122021.io” or with “2912pentera2021.io”.

Below is a simple code example of how to generate DNS based on date: 

from datetime import date

today = date.today()

domain1 = today.strftime(“%d%m%Y”) + “pentera.io”

domain2 = today.strftime(“%dpentera%m%Y”) + “pentera.io”

domain3 = today.strftime(“%d%mpentera%Y”) + “pentera.io”

print(domain1, domain2, domain3)

The result is:

• 29122021pentera.io 
• 29pentera122021pentera.io 
• 2912pentera2021pentera.io

Because attackers can constantly send new requests over DNS using a new, known root domain, DGA over DNS will prove challenging to organizations using static methods or even with basic anomaly detection to detect and prevent.

Mitigating DNS-Based Attacks in Air-Gapped Networks

To secure air-gapped networks against DNS abuse, organizations should implement the following strategies:

• Dedicated Air-Gapped DNS Servers: Ensure internal DNS servers are completely isolated from external resolvers.
• DNS filtering: Use a secure DNS service with advanced anomaly DNS analysis such as:
  1. DNS requests with big length 
  2. Amount of DNS requests per minutes/hour/day 

Conclusion: No Air Gap is Perfectly Secure

Air-gapped networks are not impervious to attacks. As demonstrated, DNS vulnerabilities provide a covert channel for data exfiltration, C2 communication, and network penetration. To strengthen defenses, organizations must remain vigilant by implementing robust DNS security measures, continuously validating their setup, and leveraging advanced monitoring techniques.

For a deeper dive into securing air-gapped networks and DNS attack prevention, check out the full Pentera Labs Research on bypassing air-gapped networks via DNS or contact our research team at Pentera.