From charlesreid1

Imagine the power of Netcat, but with everything tunneled through DNS packets. Imagine the power!!!

Dnscat2 does precisely that: http://www.doctorchaos.com/dnscat2-dns-reverse-tunneling-thru-secure-networks/

More detailed info: https://zeltser.com/c2-dns-tunneling/

Code on Github: https://github.com/iagox86/dnscat2

The dnscat2 software is run on a C2 server that listens for a client. The software is then run on a client, which attempts to connect to the C2 server and establish a session. Once a session is established, a reverse connection is created from the C2 server, which enables an attacker to run arbitrary commands on the remote client's machine.

The C2 server should be a registered domain, and should be an authoritative DNS server, and the authoritative DNS server should be the same server running the dnscat2 server. To make a DNS server authoritative for your domain, you will inform the domain registrar of the authoritative DNS in the domain. There is often an option to do this in Domain Management/Domain Settings. Edit DNS Zone file, and add several records:

  • Add two A records ns1 and ns2 that point to the C2 server
  • Add two DNS records with host ns1 and ns2 to point to n1.domain.com and n2.domain.com

Next, make sure the domain is set up to use your own, custom nameservers. Add the nameservers ns1.domain.com and ns2.domain.com). Give some time for settings to take effect.

Now when you run dnscat2 on either machine, you'll specify domain.com

Flags