'This tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network....
dnscat2 comes in two parts: the client and the server.
The client is designed to be run on a compromised machine. It's written in C and has the minimum possible dependencies. It should run just about anywhere (if you find a system where it doesn't compile or run, please file a ticket, particularly if you can help me get access to said system).
When you run the client, you typically specify a domain name. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain (which you, presumably, have control of).
If you don't have an authoritative DNS server, you can also use direct connections on UDP/53 (or whatever you choose). They'll be faster, and still look like DNS traffic to the casual viewer, but it's much more obvious in a packet log (all domains are prefixed with "dnscat.", unless you hack the source). This mode will frequently be blocked by firewalls.
The server is designed to be run on an authoritative DNS server. It's in ruby, and depends on several different gems. When you run it, much like the client, you specify which domain(s) it should listen for in addition to listening for messages sent directly to it on UDP/53. When it receives traffic for one of those domains, it attempts to establish a logical connection. If it receives other traffic, it ignores it by default, but can also forward it upstream.'
Now, back to more fumbling in the dark. So, what do I have at my disposal? Just two things, my production machine running Windows 10 & my trusty VPS (based in a different country). Naturally, I chose the VPS to run the server & my personal/work computer to run the client, which comprises the machine. Oops. Well here we go :
We create a new user for the purpose of setting up the dnscat2 server. The bundler can ask for escalated priveleges if required, but we don't want to install it as root as that will break it for all non-superusers. Once this is done, we run the server on port 5353 & we also place the client on the machine to be compromised & run that too :
Here's the cool part. So I've established a dns tunnel between my Windows 10 box & the remote server. In order to verify the connection is actually between these two nodes, dnscat2 displays a sequence of strings in each terminal which should match each other exactly. Below is a picture of the command line from the windows 10 machine running the client & the VPS running the server. As we should expect, both string sequences match :
And here we have a little list of some of the commands that can be executed on the seemingly-helplessly-compromised host from the big bad command & control server :
Shortly after establishing the first encrypted session we encounter some stability/persistence problems & lose connectivity with my compromised host. Again, the second session crashes & I gather it's probably a result of not employing the use of an authoritative dns server, which dnscat2 works better with. Yeah, probably. Regardless we trudge on & actually manage to firstly ping between server & host :
Now for something a little more sinister. I use the exec command from the command & control server
to unleash the mighty might of...
The notepad. Yes. I am going to remotely execute the notepad & write the world's worst novel onto this workstation & no-one (except me) can stop me!
At this point I think I realized it was probably a bad idea to have a client which acted as a kind of dns
backdoor into my workstation, so I packed it in & removed the client & rebuilt my VPS.
