I wanted to do a quick three-part series on c2 over DNS. I'll cover a little of the what and how. This is only to help me better understand as I've learned that explaining it to other people helps you realize what you don't understand yourself. I'll focus a little more on implementation using dnscat2, DigitalOcean, and Namecheap. What prompted this? I was trying to set this up for lab purposes and realized that just getting the settings right in Namecheap was a little tricky SO...I decided to document it.
Authoritative DNS in Namecheap
I guess step one is buying a domain. I won't walk you through that. I'll start with you having a domain. For demo purposes, I got ahold of not-evil.network. The whole idea behind DNS as a communication channel requires you have the authoritative DNS server for a domain. Why? We want any DNS request for a domain to be routed directly to us so that data can be embedded in the requests and responses. I'll go a little more into the specifics in post 3. I was thinking it might even be fun to run a packet capture and do a little packet dissection to help it all make sense.
Step 1: Get the IP Address for your VPS
First, make sure you grab the IP address of your C2 server. In the Digital Ocean panel this is pretty simple:
Step 2: Create Custom DNS Servers
Next, jump over to your Namecheap account. When you first sign in you will land on the dashboard with a list of the domains you own. Click the 'Manage' button beside the domain you are going to use and navigate to the advanced DNS page for that domain.
Since Namecheap doesn't know about your new VPS as an authoritative nameserver we have to inform them before we can point DNS requests to ourselves. The last section on this page is called 'personal DNS server' and that's what we need. Click the 'Add Nameserver' button.
Select whatever the prefix will be for your nameserver in the provided list (I used ns1 and ns2) and paste in the IP address of your VPS in the 'IP address' field. Make sure you click 'done' so that everything is saved and you are good to go.
Step 3: View the Custom DNS Servers to Make Sure They've Been Added (how to change etc)
I added this step in when I had to change the IP address of my nameserver later on. To confirm that the servers have been added OR if you need to remove the down the line (ie. you want to add in a different custom nameserver) use the search function. When you hit the search button you should get a list of servers below. There you can see what you've added in or delete them if you want to.
Step 4: Point at Your New DNS Servers
Next, just navigate over to your Domain page from the top navigation bar.
Scroll down till you see the 'nameservers' section. Now you can add your nameservers based on your domain name and Namecheap will know what to do.
Step 5: Test it
You should be ready to go now. You can fire up a listener on your VPS box with netcat.
nc -l -v -p53
Then do a lookup for your domain.
And see if the request comes through.
Ok that wasn't so bad. Next time we will get dnscat2 setup and run some tasks. In the final post we will dissect some packets. Good luck and ping me on twitter if you have any questions.