Name: Anonymous 2018-04-15 19:44
TL;DR: data breach via DNS
Can you do something like this:
Export a database to a .mdf file, then convert it to base64, maybe encrypt and hash or something too.
Then the file is basically a text string. A really, really, long text string. But still text. Or it can be broken up into multiple parts. The details aren't really important, it's just hypothetical. And subdomains (and thus domain name lookups) are text.
For the sake of simplicity, let's say the entire string of the hashed base64-encoded file is this:
aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff
Then you could do dns lookups, like so:
aaaaaaaaaa.example.com
bbbbbbbbbb.example.com
cccccccccc.example.com
dddddddddd.example.com
eeeeeeeeee.example.com
ffffffffff.example.com
And then the DNS server receiving the lookup requests would know the entire file is aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff if it adds the subdomain portions together.
Thoughts?
This is something that could be useful for a penetration test or security audit. Exfiltrate a portion of a database as a proof of their insecurity. But it would only be okay to do so if you have explicit permission to do so (as part of a written legal agreement for a pen test).
Can you do something like this:
Export a database to a .mdf file, then convert it to base64, maybe encrypt and hash or something too.
Then the file is basically a text string. A really, really, long text string. But still text. Or it can be broken up into multiple parts. The details aren't really important, it's just hypothetical. And subdomains (and thus domain name lookups) are text.
For the sake of simplicity, let's say the entire string of the hashed base64-encoded file is this:
aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff
Then you could do dns lookups, like so:
aaaaaaaaaa.example.com
bbbbbbbbbb.example.com
cccccccccc.example.com
dddddddddd.example.com
eeeeeeeeee.example.com
ffffffffff.example.com
And then the DNS server receiving the lookup requests would know the entire file is aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff if it adds the subdomain portions together.
Thoughts?
This is something that could be useful for a penetration test or security audit. Exfiltrate a portion of a database as a proof of their insecurity. But it would only be okay to do so if you have explicit permission to do so (as part of a written legal agreement for a pen test).