DNS Tunneling Using dnscat2
The tool dnsCat2 works over the DNS protocol. We can use this tool to create an encrypted tunnel that can be used to exfiltrate data in a stealthy manner. The tool is composed of two parts: the server and the client. The data is transmitted within the TXT records.
Server installation
The server needs to be installed on the attacker host machine. The tool is coded in Ruby so we need the gem package manager and Ruby installed.
We can configure the DNS server on hour attacker host with the following command:
As it can be seen below, the dnscat2 server returned a secret key. This secret key aim for establishing an encrypted connection with the client.
Above, the --no-cache
option is required because of the Powershell module client that we will make use of does not support caching option.
Client installation
The client is configured on the compromised host. It will be used to exfiltrate data via DNS by making a DNS query to our external DNS authoritative server. We had two options for the client, we could use the client with the dnscat2 project, but a Powershell module client also exists. See here. We choose the second options, so we uploaded the script on the target Windows system and imported the module using Powershell.
Then, for the client to connect back to our external DNS server, we executed the following command:
Establishing a session
The value of the -PreSharedSecret
flag corresponds to the secret returned by the DNS server. We specified that we wanted a CMD shell session to be started by using the -Exec cmd
flag.
Below, we could see that we were able to start an interactive session. The data transmission time is a bit slow due to the use of the DNS protocol.
Resources
Bagget, Luke. PowerShell DNS Command & Control with dnscat2-powershell
Last updated