Databouncing

A little thread on the concern set of data-bouncing, The most important component here is that the exfil is second order, also known as indirect, this means you can’t control it within your network, while many refer to it as a DNS exfil, that’s only the second leg, 1/*

@mthcht2 @yeahbutnahbut 🫡🫡

@yeahbutnahbut @databouncing totally valid, will add them 😃

LOLEXFIL Living off the land Data Exfiltration method lolexfil.github.io

Some good insight from @DidierStevens youtu.be/eh3BD7v8cZQ?si… could be useful to make life harder where it fails (as a benifit) in databouncing

Approved 🫡

Hmmm Databouncing + Fastflux, hmmmm

@elonmusk Too huh ? 😂

If you want to databounce via email gist.github.com/yosignals/dce9… This is crude but functional It will use the hostname space as you’d expect, 500 recipients per send

@SwiftOnSecurity Ubi looks great but, looks locked in, synology has a good balance of flexibility and integration (just doesnt have that slick ubi UX)

What are you using for home NAS/SAN these days? Whats your setup?

we feel that the only reason Databouncing hasn’t gotten the attention it deserves is because the PoCs have mostly been fun demonstrations of its capability - if you could share for reach 🙌❤️ 4/4

I’d be happy putting a reward out for whoever authors something stable first, you’d get support from myself @DeathsPirate and @N1ckDunn where we have time 3/4

A little bit of positive downtime, and we’re back at it We’re looking for some assistance in building databouncing integration into C2 frameworks (Sliver, Tuoni, Merlin, others ?) 1/4

checkcybersecurity.service.ncsc.gov.uk/ip-check/form great for businesses, and databouncing aficionados ?

While databouncing is pretty unstoppable in most cases it’s always nice if you’re gifted even more: PAN-234015 The X-Forwarded-For (XFF) value is not displayed in traffic logs.

@DeathsPirate @PamKeithFL Narrowcasting is the term, and it’s made things very ugly 🫠

@PamKeithFL Target the demographic you need with a quick form to gather their interest and give them something back in return (free coffee or something) for their time. Then you have a list of contacts for direct comms.

One of the BIG data problems we have in campaigning is that while we have a list of registered voters, we DO NOT have a list of eligible not registered Americans. That means that we can’t target people for calls or texts or whatever to encourage them to register. If we fixed

@HackingDave Oh my

I've been working on a secret project over the past few months. Not going to say anything more about it other than dropping this screenshot. #TrustedSec

I'll be speaking at Defcon Gloucester this evening on all things @databouncing. Hopefully see some of you later!

Seeing lots of databouncing candidates on Chinese infrastructure 🥸

Ayo #bugbounty hunters, you want to squeeze some money out of those lame host header poisonings ? Check out CWE-441 - then check out #databouncing - all you have to do is argue with triage until you are a millionaire 😁🫡

@teamcymru_S2 do you fancy a run at countermeasures ?

without actually putting any data on any services of those domains, this is industrialized exfiltration and no one seems to have an answer.

There are some very real implications to this technique and the reason we put time and money into building databouncing.io was to force the conversation not being had. - we'll start chipping away visually demonstrating how to move files via trusted domains...

@Microsoft asked us to refer to @Akamai when we demo'd Databouncing through their domains, Akamai's guy said essentially 'that's how the internet works', what's interesting is that when we spoke to NSA it was suggested that @Cloudflare had a response