DNS TUNNELING WITH DNSCAT2
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDye5P9D7iJLen3yF7xeeLEQNHEvxfHsv02ZC0g8nTdgn8cZaiVRSVcXcuNaof9_EB1E02DVXYSX_1bz8a8z0cl4nSgh-P9NPbmwgH7dMedYgvlmQs11GxeeGIboOMOOgmePbK9StUqwD7/s1600/screenshot.26.jpg)
1 - INTRODUCTION
- dnscat2 creates an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiePxKPH4uvX2sgOv48CAWdBKDh08coIkMuvkOXdknEgX88GMR8zIgMh7D7CUHxlChVv_qfJy-yhnnMQUEO4P5Zeanj-AuWOFFSb15ZmuOin4ddt7GZaLDUx6UAs2MW5e3J95MjVGix6BE6/s1600/screenshot.25.jpg)
- dnscat2 can be used as a communication channel between a target host and the C&C server, because even in the most restricted environments DNS traffic should be allowed to resolve internal or external domains.
- Commands and data are included inside DNS queries and responses therefore detection is difficult since arbitrary commands are hiding in legitimate traffic.
- dnscat2 comes in two parts: server and client
1.1 - dnscat2 server
- The server is designed to be run on an authoritative DNS server. It's written in Ruby, and depends on several different gems.
- It can tunnel any data, with no protocol attached, which means it can upload and download files, it can run a shell, etc ... it can also potentially tunnel TCP, but that's only going to be added in the context of a pen-testing tool (that is, tunneling TCP into a network), not as a general purpose tunneling tool.
- It's also encrypted by default.
1.2 - dnscat2 client
- The client is designed to be run on a compromised machine. It's written in C and has the minimum possible dependencies.
- The client needs to be executed on the target in order for the server to receive a connection. Traffic is transmitted in an encrypted form and also it supports authentication via pre-shared secrets.
- When running the client typically a domain name is specified. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain.
- If there is no authoritative DNS server, it is possible to use direct connections on UDP/53. They'll be faster, and still look like DNS traffic to the casual viewer, but it's much more obvious in a packet log (all domains are prefixed with "dnscat.", unless you hack the source). This mode will frequently be blocked by firewalls.
- To sum it up, some advantages of dnscat2:
- Support of multiple sessions
- Traffic encryption
- Protection from MiTM attacks with secret key
- Run PowerShell scripts directly from memory
- Stealthy
2 - SETTING UP DNSCAT2
2.1 - dnscat2 server
- To download the server (for Kali):
https://github.com/iagox86/dnscat2
- Cloning and installing the dnscat2 server to Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga0yt6KZn534zU_oc4lhPKKZiumCBOsgZOqzNnKeyGkDyW-XsB90EeBqVblILJ1A8LlbGp_JdGKvvhA8LJfhjZ07-kJxoBtdwpLhUAJ10Z35k-UMNJCLnwr2Mwg_Qmwy23FfN_X99pen9B/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-mZWCHlZF66PH4MyFYsUBWZ8zsBge8kXaPgwEkbWhDiYAXZcfa3u1zitn848wskHhEf6fwcaL__zWHROOlVrLXysroSWfwWAhEa29yPQXre0BQx_979CVhmi3eGAG0ldxT7WdP-5IK3Be/s1600/screenshot.6.jpg)
- Running the server it waits until a session is requested by the remote client:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiT1ddHM4IxSZPiCXzQv5s8DE_NIpNF4d0pDZ5SfTgY6yebtLuNMAPHcuSRwwHFzemPecVwawYuAzGD29RT5IQ_ZyTdBWJ5KYvS1TV08qgXSdG6j7w9G4HuISumrewSQnOLjfhSoq8nE2l/s1600/screenshot.7.jpg)
2.2 - dnscat2 client
- To download the client (for Windows):
https://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-win32.zip
- Once downloaded dnscat2 client to Windows there is an executable:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7xgBAD0X1zhhSBNUXBssqAhJ-4mWDOUlc2VnWT80Hxu6PDgBQleCa-ZRcYvG615-yXGQH_UyfqDxHUDf3Ho5pcH6kwvYgRUdYg7CmJXxnrSGAIKbbaxoyPOuHBfr6m2D-wtNMnj8pOrWe/s1600/screenshot.27.jpg)
3 - ESTABLISHING THE DNSCAT2 SESSION
- The session is initialized by the client, just calling to the server in this way:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYZcrscX1o9-mwpv5l8kl-nQuna6Ia4FU7vHCxyf3e-U61xo9lMmKGT_pOsf9a8g65dsjtDmZXyvOjaqgEHnDQBPr-t-s4nJYb4DluP-KFbW9NCYGwebflTV_OfxtPHRc5ieZ9jrX3lcmQ/s1600/screenshot.10.jpg)
- The server acknowledges the session, but it is very important to notice that the same string is shared between the two parties client and server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjds4zSajxcLleYlCsPm7ruUx2Bq_9lUoeqLLguBN26UwmobzBol_XSZA1XIgSbra_f1UAENX36DLZ5jjuj15aq78iW3_WGEuxe_C3sVOEII7h0xVkhx6X2m2tFAcGgzy-SbjAnUYkCbE0N/s1600/screenshot.11.jpg)
- Connecting to the session (window) 1 we have a command session command (NYC) 1> indicating that the session is successfully established:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0p_n3WHvTzbNrZQOxHcSJhQx6sv5RcBMEAqYWq6XgoU_hEZ8bvT2zjbc_k4AJKzCEtgToY2WxJenVxQv5ycLockLGJED_SyUpulNt8AyFXeXb-0CAj4LtFRKthe4plOaJ0dt840tbwMSs/s1600/screenshot.12.jpg)
- Available options:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibSEi_ojON1-iy-_3QVqFE_etW8weifbZm5WZjkruhR94LMv_qbSBdQQcFdCzg9l-FAmIAkYWUizlGiOp8hQ7wDZ_WxogFIua4-xAAa-BkmtBhPne7yqz1Qt1f_bVFziMXPL1eFE5_YLBy/s1600/screenshot.13.jpg)
4 - REMOTE COMMAND EXECUTION
- One example of how to execute commands remotely from Kali to Windows would be just launching the Calculator with command exec calc.exe:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2dqHZDfZ7TlxtZE5yRF_5PxmxBl6bcBAuJchMbgj5BfYHPLzBf9bCz3QyN0JARked2nXdrhMwwz8JN3tdAv4pQUIlFXe_jrG7i0TMLh4En1VKRY4uMwUXBDagu8lnErLCzYjaMQ_cDj6o/s1600/screenshot.14.jpg)
- The remote execution is successful, as we can checked at the Windows' side:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG9or1bMkMiE7b8kkqVZ5aixX7RJl5XJmrJQX2t1A05fej0jIGaCghAL3bdfty8lJJXZM-TV5E3PRW_EPH1LcBoDv4F5YOhS3p-UGep1fpgDInhFw1LO_ECLYDew29oZnelzIYmzR3Jhu_/s1600/screenshot.15.jpg)
5 - REMOTE SHELL
- The most powerful option would be to spawn a remote shell, just calling the command shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2T3jbf1rC_a8kRJPJa1jMwi50gdVNWZh8TBJ2MMaaYihYh-vy9oeCLctl7XW161CXu-rkJ4F096MIMx4VXOCRr5yKYgSehyh9SSSsTiXML4Nd6MXkSw33iVibHu7KUM0DPyveK5yOeXGd/s1600/screenshot.17.jpg)
- At the Windows' side the cmd.exe program is loaded:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGZwpPxRKIn3JJX3F8I5K5Vg9V0Nc0masogoCptNFOB0NvsQZn81_BNjWqhQetumtksNwWHd8S4z2zzNHsmvJaBUkoFVu1iTVU3Bs69KVFm_wXVR3lS9Tdg5mHmxzWwMD4l5WUjBRfa5fv/s1600/screenshot.16.jpg)
- Going to the just created new session (window) 3 created we've got a remote shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwDDKbQVpUTRZ-GVuJ_nHvfNCBjba02vaI10fHr7kx9viBHsf_7rNIQt3GQQbVHHRYairwkfatSHA8xCkE78v0YKclhSG7N_WOV5bAxEfsT53AU8f4ukU9N8FAczOBet6vABi-cI8GGppn/s1600/screenshot.18.jpg)
- Running ipconfig and whoami at Kali to check that we are connected to the correct Windows NYC machine:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ptf6gmk3Miw8ILzusgPzBYOuZJgvuGKs92kMJQaxoZM8IY2R10ic5ba2YvMY67A4uNd520O2WlkcahJMxloUXlWrPPzxEwVsNomuScjEfRESoDRse30dbDEhwjCo9NPs9TkqUGSXkT1u/s1600/screenshot.22.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeIQmpcepFjZC67mr0H7KoI73VdhYmD0qMQ92nKkRyKuV-kJ8vpudpPrL8TmoUk0qwdp6dk9nAppJ5dnsjvtZsIKDfO4R4v1DsgXlcbTonlret71IS2So57eXRdMLnRvf0Sl2nDudaaW5O/s1600/screenshot.23.jpg)
6 - CAPTURING ENCRYPTED TRAFFIC
- Both Tcpdump and Wireshark detect the traffic bewteen the two parties, but the traffic is encrypted and not readable in plain text:
- Tcpdump:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsx8IHslO-y0jVCJOcgsNWFtVIvgFipCs4qouyizqIeZCqC7sTdoGvEoipHhuU9_MkmSh7UwCIVyCFrFsEA6Q2uhynqM9NwSv-mhxWjHqcGCVyNDYOX8tBT0eZ0kgdhCYc9pG9OvONNPiG/s1600/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8llKcvr4iELNraeXw7kTJOmsopGryUp3IkEcM2Xs-n3AZ4KyLzHdrlKMOUhAk9rnKv2IJMU9V70EfCxePPwehqkTokK0pQJHZAVMv-KFnRak9dG_fcf2yWF9frRV6IpReEKXM3-ipy9rp/s1600/screenshot.19.jpg)
- Wireshark with Follow UDP Stream:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd2lHFjqSxlk_8QyFEm1tqdH_x-MrGVk9DwsRHy_MGY25630liZfTHeUfiKzyJThAt_UtGs0MnSCRNJ0wryaWM_uHA2DmLmBIAFmB9FuMLBZkd4KtdzFqoh22s9JiECCHUSm3sHHJM_qnR/s1600/screenshot.9.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4DR_LumZZUS5CjhYaqYLRpPWCoM6a69wCOsyWy3HfnXHhF9gtVNvFuKw3d8JOXPFOFezUE6rM7yuLF6YVZI3WNMVRkjgHk2lzST-GlsWLpd5u-czMaa33uNJBpkWMNFsUkJnLlNsGNvUu/s1600/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNsZpr59eCmoRipnJq__OPuOCBTktDtwo35l4n5YD7ZHZK2c-JhCVKuUVmfRb_qUBu9wa2I2POSw9Ro6_88jJMWebR0XjXiK_uoWQUVkBS_5Wx780vzRm0oWjb1p97C7dI48SduIu2nUqv/s1600/screenshot.21.jpg)