What is it?

Out-Of-Band (OOB) technique provides an attacker with an alternative way to confirm and exploit a vulnerability which is otherwise “blind”. In a blind vulnerability, as an attacker you do not get the output of the vulnerability in the direct response to the vulnerable request. The OOB techniques often require a vulnerable entity to generate an outbound TCP/UDP/ICMP request and that will then allow an attacker to exfiltrate data. The success of an OOB attack is based on the egress firewall rules i.e. which outbound request is permitted from the vulnerable system and the perimeter firewall.

Limitations of using DNS for data exfiltration

• A domain name can have maximum of 127 subdomains.

• Each subdomains can have maximum of 63 character length.

• Maximum length of full domain name is 253 characters.

• Due to DNS records caching add unique value to URL for each request.

• DNS being plaintext channel any data extracted over DNS will be in clear text format and will be available to intermediary nodes and DNS Server caches. Hence, it is recommended not to exfiltrate sensitive data over DNS.

References

Out of Band exploitation cheat sheet (Includes the below): https://www.notsosecure.com/oob-exploitation-cheatsheet/

• DNS

• ICMP

• HTTP

• SMB

• XXE

• SQL Injection