본문 바로가기
카테고리 없음

Dns Tunneling Windows

icduconcortilu 2020. 10. 29. 22:08


***** NOTE: The password for the .zip downloads are all 'password'! *****

Welcome to dnscat2, a DNS tunnel that WON'T make you sick and kill you!

This tool is designed to create an encrypted command-and-control (C&C)channel over the DNS protocol, which is an effective tunnel out ofalmost every network.

Iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed. It runs on Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows and needs a TUN/TAP device. There is a Java implementation that works on Windows on analogbit.com: tcp-over-dns. Tcp-over-dns contains a special dns server and a special dns client. The client and server work in tandem to provide a TCP (and UDP!) tunnel through the standard DNS protocol. This is similiar to the defunct NSTX dns tunelling software. Even with IPv6 fully disabled it still doens't work when split tunneling is enabled. Windows 10 keeps using my ISP's DNS server in that case, where Windows 8.1 would use my company's DNS server regardless of the split tunneling option. The parallel DNS queries seem to be only part of the problem.

This README file should contain everything you need to get up andrunning! If you're interested in digging deeper into the protocol, howthe code is structured, future plans, or other esoteric stuff, checkout the doc/ folder.

This is released under the BSD license. See LICENSE.md formore information.

dnscat2 comes in two parts: the client and the server.

The client is designed to be run on a compromised machine. It's writtenin C and has the minimum possible dependencies. It should run just aboutanywhere (if you find a system where it doesn't compile or run, pleasefile a ticket, particularly if you can help me get access to saidsystem).

When you run the client, you typically specify a domain name. Allrequests will be sent to the local DNS server, which are then redirectedto the authoritative DNS server for that domain (which you, presumably,have control of).

If you don't have an authoritative DNS server, you can also use directconnections on UDP/53 (or whatever you choose). They'll be faster, andstill look like DNS traffic to the casual viewer, but it's much moreobvious in a packet log (all domains are prefixed with 'dnscat.', unlessyou hack the source). This mode will frequently be blocked by firewalls.

The server is designed to be run on an authoritative DNSserver. It's in ruby, and depends onseveral different gems. When you run it, much like the client, youspecify which domain(s) it should listen for in addition to listeningfor messages sent directly to it on UDP/53. When it receives traffic forone of those domains, it attempts to establish a logical connection. Ifit receives other traffic, it ignores it by default, but can alsoforward it upstream.

Detailed instructions for both parts are below.

dnscat2 strives to be different from other DNS tunneling protocols bybeing designed for a special purpose: command and control.

This isn't designed to get you off a hotel network, or to get freeInternet on a plane. And it doesn't just tunnel TCP.

It can tunnel any data, with no protocol attached. Which means it canupload and download files, it can run a shell, and it can do thosethings well. It can also potentially tunnel TCP, but that's only goingto be added in the context of a pen-testing tool (that is, tunneling TCPinto a network), not as a general purpose tunneling tool. That's beendone, it's not interesting (to me).

It's also encrypted by default. I don't believe any other public DNStunnel encrypts all traffic!

Here are some important links:

  • Downloads (you'll find signed Linux 32-bit, Linux 64-bit, Win32, and source code versions of the client, plus an archive of the server - keep in mind that that signature file is hosted on the same server as the files, so if you're worried, please verify my PGP key :) )
  • User documentation A collection of files, both for end-users (like the Changelog) and for developers (like the Contributing doc)
  • Issue tracker (you can also email me issues, just put my first name (ron) in front of my domain name (skullsecurity.net))

The theory behind dnscat2 is simple: it creates a tunnel over the DNSprotocol.

Why? Because DNS has an amazing property: it'll make its way from serverto server until it figures out where it's supposed to go.

That means that for dnscat to get traffic off a secure network, itsimply has to send messages to a DNS server, which will happilyforward things through the DNS network until it gets to your DNSserver.

That, of course, assumes you have access to an authoritative DNS server.dnscat2 also supports 'direct' connections - that is, running a dnscatclient that directly connects to your dnscat on your ip address and UDPport 53 (by default). The traffic still looks like DNS traffic, andmight get past dumber IDS/IPS systems, but is still likely to be stoppedby firewalls.

If you aren't clear on how to set up an authoritative DNS server, it'ssomething you have to set up with a domain provider.izhan helpfully wroteonefor you!

Compiling

Client

Compiling the client should be pretty straight forward - all you shouldneed to compile is make/gcc (for Linux) or either Cygwin or MicrosoftVisual Studio (for Windows). Here are the commands on Linux:

On Windows, load client/win32/dnscat2.vcproj into Visual Studio and hit'build'. I created and test it on Visual Studio 2008 - until I get afree legit copy of a newer version, I'll likely be sticking with thatone. :)

If compilation fails, please file a bug on my githubpage! Please send detailsabout your system.

You can verify dnscat2 is successfully compiled by running it with noflags; you'll see it attempting to start a DNS tunnel with whatever yourconfigured DNS server is (which will fail):

Server

The server isn't 'compiled', as such, but it does require some Rubydependencies. Unfortunately, Ruby dependencies can be annoying to getworking, so good luck! If any Ruby experts out there want to help makethis section better, I'd be grateful!

I'm assuming you have Ruby and Gem installed and in working order. Ifthey aren't, install them with either apt-get, emerge, rvm, orhowever is normal on your operating system.

Once Ruby/Gem are sorted out, run these commands (note: you canobviously skip the git clone command if you already installed theclient and skip gem install bundler if you've already installedbundler):

If you get a permissions error with gem install bundler or bundler install, you may need to run them as root. If you have a lot ofproblems, uninstall Ruby/Gem and install everything using rvm andwithout root.

If you get an error that looks like this:

It means you need to install the -dev version of Ruby:

I find that sudo isn't always enough to get everything working right,I sometimes have to switch to root and work directly as that account.rvmsudo doesn't help, because it breaks ctrl-z.

Dns Tunneling Windows 7

You can verify the server is working by running it with no flags andseeing if you get a dnscat2> prompt:

If you don't run it as root, you might have trouble listening on UDP/53(you can use --dnsport to change it). You'll see an error message ifthat's the case.

Ruby as root

If you're having trouble running Ruby as root, this is what I do to runit the first time:

And subsequent times:

rvmsudo should make it easier, but dnscat2 doesn't play well withrvmsudo unfortunately.

Usage

Client + server

Before we talk about how to specifically use the tools, let's talk abouthow dnscat is structured. The dnscat tool is divided into two pieces: aclient and a server. As you noticed if you went through the compilation,the client is written in C and the server is in Ruby.

Generally, the server is run first. It can be long lived, and handle asmany clients as you'd like. As I said before, it's basically a C&Cservice.

Later, a client is run, which opens a session with the server (more onsessions below). The session can either traverse the DNS hierarchy(recommended, but more complex) or connect directly to the server.Traversing the DNS hierarchy requires an authoritative domain, but willbypass most firewalls. Connecting directly to the server is moreobvious for several reasons.

By default, connections are automatically encrypted (turn it off on theclient with --no-encryption and on the server with --security=open).When establishing a new connection, if you're paranoid aboutman-in-the-middle attacks, you have two options for verifying the peer:

  • Pass a pre-shared secret using the --secret argument on both sidesto validate the connection
  • Manually verify the 'short authentication string' - a series of wordsthat are printed on both the client and server after encryption isnegotiated

Running a server

The server - which is typically run on the authoritative DNS server fora particular domain - is designed to be feature-ful, interactive, anduser friendly. It's written in Ruby, and much of its design is inspiredby Metasploit and Meterpreter.

If you followed the compilation instructions above, you should be ableto just run the server: Maxi pc suite free download.

Where 'skullseclabs.org' is your own domain. If you don't have anauthoritative DNS server, it isn't mandatory; but this tool works way,way better with an authoritative server.

That should actually be all you need! Other than that, you can test itusing the client's --ping command on any other system, which should beavailable if you've compiled it:

If the ping succeeds, your C&C server is probably good! If you ran theDNS server on a different port, or if you need to use a custom DNSresolver, you can use the --dns flag in addition to --ping:

Note that when you specify a --dns argument, the domain has to be partof that argument (as domain=xxx). You can't just pass it on thecommandline (due to a limitation of my command parsing; I'll likelyimprove that in a future release).

When the process is running, you can start a new server using basicallythe exact same syntax:

You can run as many DNS listeners as you want, as long as they're ondifferent hosts/ports. Once the data comes in, the rest of the processdoesn't even know which listener data came from; in fact, a client cansend different packets to different ports, and the session will continueas expected.

Running a client

The client - which is typically run on a system after compromising it -is designed to be simple, stable, and portable. It's written in C andhas as few library dependencies as possible, and compiles/runs nativelyon Linux, Windows, Cygwin, FreeBSD, and Mac OS X.

The client is given the domain name on the commandline, for example:

In that example, it will create a C&C session with the dnscat2 serverrunning on skullseclabs.org. If an authoritative domain isn't an option,it can be given a specific ip address to connect to instead:

Dns Tunneling Windows

Assuming there's a dnscat2 server running on that host/port, it'llcreate a session there.

Tunnels

Yo dawg; I hear you like tunnels, so now you can tunnel a tunnel throughyour tunnel!

It is currently possible to tunnel a connection through dnscat2, similarto 'ssh -L'! Other modes ('ssh -D' and 'ssh -R') are coming soon aswell!

After a session has started (a command session), the command 'listen' isused to open a new tunnelled port. The syntax is roughly the same as ssh-L:

The local host is option, and will default to all interfaces (0.0.0.0).The local port and remote host/port are mandatory.

The dnscat2 server will listen on lport. All connections received tothat port are forwarded, via the dnscat2 client, to the remote host/portchosen.

See ADDITIONAL PURCHASE NECESSARY TO ENTER OR WIN. Open only to legal residents of 50 US/DC, 18+. Hp 4700 printer manual. ANY ADDITIONAL PURCHASE WILL NOT INCREASE YOUR CHANCES OF WINNING.

For example, this will listen on port 4444 (on the server) and forwardtraffic to google:

Then, if you connect to http://localhost:4444, it'll come out thednscat2 client and connect to google.com.

Let's say you're using this on a pentest and you want to forward sshconnections through the dnscat2 client (running on somebody's corpnetwork) to an internal device. You can!

That'll only listen on the localhost interface on the dnscat2 server,and will forward connections via the tunnel to port 22 of 10.10.10.10.

Encryption

dnscat2 is encrypted by default.

I'm not a cryptographer, and by necessity I came up with the encryptionscheme myself. As a result, I wouldn't trust this 100%. I think I did apretty good job preventing attacks, but this hasn't beenprofessionally audited. Use with caution.

There is a ton of technical information about the encryption in theprotocol doc. But here are the basics.

By default, both the client and the server support and will attemptencryption. Each connection uses a new keypair, negotiated by ECDH. Allencryption is done by salsa20, and signatures use sha3.

Encryption can be disabled on the client by passing --no-encryption onthe commandline, or by compiling it using make nocrypto.

The server will reject unencrypted connections by default. To allowunencrypted connections, pass --security=open to the server, or runset security=open on the console.

By default, there's no protection against man-in-the-middle attacks. Asmentioned before, there are two different ways to gain MitM protection:a pre-shared secret or a 'short authentication string'.

A pre-shared secret is passed on the commandline to both the client andthe server, and is used to authenticate both the client to the serverand the server to the client. It should be a somewhat strong value -something that can't be quickly guessed by an attacker (there's only ashort window for the attacker to guess it, so it only has to hold up fora few seconds).

The pre-shared secret is passed in via the --secret parameter on boththe client and the server. The server can change it at runtime usingset secret=<new value>, but that can have unexpected results if activeclients are connected.

Furthermore, the server can enforce only authenticated connections areallowed by using --security=authenticated or set security=authenticated. That's enabled by default if you pass the--secret parameter.

If you don't require the extra effort of authenticating connections,then a 'short authentication string' is displayed by both the client andthe server. The short authentication string is a series of English wordsthat are derived based on the secret values that both sides share.

If the same set of English words are printed on both the client and the server,the connection can be reasonably considered to be secure.

That's about all you need to know about the encryption! See the protocoldoc for details! I'd love to hear any feedback on the crypto, as well.:)

And finally, if you have any problems with the crypto, please let meknow! By default a window called 'crypto-debug' will be created at thestart. If you have encryption problems, please send me that log! Or,better yet, run dnscat2 with the --firehose and --packet-tracearguments, and send me EVERYTHING! Don't worry about revealing privatekeys; they're only used for that one session.

dnscat2's Windows

The dnscat2 UI is made up of a bunch of windows. The default window iscalled the 'main' window. You can get a list of windows by typingwindows (or sessions) into any command prompt:

You'll note that there are two windows - window 0 is the main window,and window dns1 is the listener (technically referred to as the'tunnel driver').

From any window that accepts commands (main and command sessions), youcan type help to get a list of commands:

For any of those commands, you can use -h or --help to get details:

We'll use the window command to interact with dns1, which is astatus window:

The received and sent strings there are, if you decode them, pings.

You can switch to the 'parent' window (in this case, main) by pressingctrl-z. If ctrl-z kills the process, then you probably have to find abetter way to run it (rvmsudo doesn't work, see above).

When a new client connects and creates a session, you'll be notified inmain (and certain other windows):

(Note that you have to press enter to get the prompt back)

You can switch to the new window the same way we switched to the dns1status window:

Command sessions can spawn additional sessions; for example, the shellcommand:

(Note that throughout this document I'm cleaning up the output; usuallyyou have to press enter to get the prompt back)

How Dns Tunneling Works

Then, if you return to the main session (ctrl-z or suspend, you'll seeit in the list of windows:

Unfortunately, the 'windows' command in a specific command session onlyshows child windows from that session, and right now new sessions aren'tspawned as children.

Dns Tunneling Windows Xp

Note that some sessions have [*] - that means that there's beenactivity since the last time we looked at them.

When you interact with a session, the interface will look differentdepending on the session type. As you saw with the default session type(command sessions) you get a UI just like the top-level session (you cantype 'help' or run commands or whatever). However, if you interact witha 'shell' session, you won't see much immediately, until you type acommand:

/home/ron/tools/dnscat2/client

To escape this, you can use ctrl-z or type 'exit' (which will kill thesession).

Lastly, to kill a session, the kill command can be used:

In the past, there were several DNS tunneling tools. One was calleddnscat, written by Tadek Pietraszek. The problem is, it's written in Java, and I really wanted something that could run basically everywhere.

That version of dnscat was based on a tool called NSTX, whose page nolonger exists and isn't even in theWayback Machine, so I know nothing about it.

Later, I wrote a C implementation and called it dnscat (withoutpermission), since the previous Java version was unmaintained and Ireally liked the name (I toyed with calling it dnscat-ng, but -ng is abit wordy for my taste). It worked, but there were a lot of problems.The client and server were the same tool, like netcat, which, becauseDNS is such a client/server model, didn't work out that well. The otherproblem was that I had linked it too much to the DNS protocol, so itcould only run over DNS.

dnscat2 - the successor to dnscat - is an attempt to right some of thewrongs that I had committed. dnscat2 has a separate server (Ruby) andclient (C) and treats everything as a stream of bytes, and uses adriver, of sorts, to convert that stream of bytes into dns requests andback. Thus, it's a layered protocol, with DNS being a lower layer.

As a result, I invented a protocol that I'm calling the dnscat protocol.You can find documentation about it in docs/protocol.md. It's a simplepolling network protocol, where the client occasionally polls theserver, and the server responds with a message (or an error code). Theprotocol is designed to be resilient to the various issues I had withdnscat1 - that is, it can handle out-of-order packets, dropped packets,and duplicated packets equally well.

Tunnel Dns Windows 7

DNS tunneling is the process of creating a covert communications channel between a computer within a penetrated network and an outlaw server outside the network. Hackers can use this vector for command and control, data exfiltration or tunneling of any internet protocol traffic. Because DNS is not intended for data transfer, security professionals can easily overlook it as a threat for malicious communications or for data exfiltration.

Threatcare offers powerful cybersecurity risk mitigation through proactive cyber defense. This enables companies to know if they’re systems are at risk. This is one of the many threats we assess, providing visibility and insight into your company’s vulnerability to DNS tunneling. To ensure good security hygiene, hacking simulations should be a regular practice for every company.

Dns Tunneling Wikipedia

Detect DNS Tunneling

Organizations should make sure they are monitoring their DNS requests properly. If there is evidence that data exfiltration or DNS tunneling has possibly occurred, reviewing DNS monitoring logs or accessing the DNS server directly to review query history should be a top priority. DNS tunneling can be detected either through payload analysis and/or traffic analysis. Payload analysis involves dissecting a query for abnormal features such as the lengthy character makeup of DNS or uncommon record types not typically used by a client. Traffic Analysis involves looking at multiple requests/response pairs over time. The amount and frequency of requests can be used for an indication of tunneling.

Dns Tunneling Software For Windows

Threatcare believes in defense-in-depth. By implementing controls that use both payload analysis and traffic analysis an organization moves closer to a stronger security posture in preventing DNS tunneling and other hacking techniques. At the end of the day an organization has the right to know if they’re secure.





티스토리툴바