dnscat2 – DNS Tunnel Tool


This DNS tunnel tool named dnscat2 creates an encrypted tunnel over the DNS protocol primarily as a command-and-control (C&C) channel for penetration testers as outbound DNS is rarely blocked in networks.

dnscat2 - DNS Tunnel Tool

This makes it a very effective tunnel out of almost every network.

Overview

dnscat2 comes in two parts: the client and the server.

The client is designed to be run on a compromised machine. It’s written in C and has the minimum possible dependencies. It should run just about anywhere (if you find a system where it doesn’t compile or run, please file a ticket, particularly if you can help me get access to said system).

When you run the client, you typically specify a domain name. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain (which you, presumably, have control of).

If you don’t have an authoritative DNS server, you can also use direct connections on UDP/53 (or whatever you choose). They’ll be faster, and still look like DNS traffic to the casual viewer, but it’s much more obvious in a packet log (all domains are prefixed with “dnscat.”, unless you hack the source). This mode will frequently be blocked by firewalls.


The server is designed to be run on an authoritative DNS server. It’s in ruby, and depends on several different gems. When you run it, much like the client, you specify which domain(s) it should listen for in addition to listening for messages sent directly to it on UDP/53. When it receives traffic for one of those domains, it attempts to establish a logical connection. If it receives other traffic, it ignores it by default, but can also forward it upstream.

How is it different from…

dnscat2 strives to be different from other DNS tunnelling protocols by being designed for a special purpose: command and control.

This isn’t designed to get you off a hotel network, or to get free Internet on a plane. And it doesn’t just tunnel TCP.

It can tunnel any data, with no protocol attached. Which means it can upload and download files, it can run a shell, and it can do those things well. It can also potentially tunnel TCP, but that’s only going to be added in the context of a pen-testing tool (that is, tunnelling TCP into a network), not as a general purpose tunnelling tool. That’s been done, it’s not interesting (to me).

It’s also encrypted by default. I don’t believe any other public DNS tunnel encrypts all traffic!

You can download dnscat2 here:

Win32 Client – dnscat2-v0.05-client-win32.zip
Linux x86 Client – dnscat2-v0.05-client-x86.tar.bz2
Linux x64 Client – dnscat2-v0.05-client-x64.tar.bz2
Server – dnscat2-v0.05-server.zip

Or read more here.

Posted in: Networking Hacking


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


Comments are closed.