dnscat2 β DNS Tunnel Tool
iSpeech
This DNS tunnel tool named dnscat2 creates an encrypted tunnel over the DNS protocol primarily as a command-and-control (C&C) channel for penetration testers as outbound DNS is rarely blocked in networks.
[adsense size='1']
This makes it a very effective tunnel out of almost every network.
Overview
dnscat2 comes in two parts: the client and the server.
The client is designed to be run on a compromised machine. Itβs written in C and has the minimum possible dependencies. It should run just about anywhere (if you find a system where it doesnβt compile or run, please file a ticket, particularly if you can help me get access to said system).
When you run the client, you typically specify a domain name. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain (which you, presumably, have control of).
If you donβt have an authoritative DNS server, you can also use direct connections on UDP/53 (or whatever you choose). Theyβll be faster, and still look like DNS traffic to the casual viewer, but itβs much more obvious in a packet log (all domains are prefixed with βdnscat.β, unless you hack the source). This mode will frequently be blocked by firewalls.
The server is designed to be run on an authoritative DNS server. Itβs in ruby, and depends on several different gems. When you run it, much like the client, you specify which domain(s) it should listen for in addition to listening for messages sent directly to it on UDP/53. When it receives traffic for one of those domains, it attempts to establish a logical connection. If it receives other traffic, it ignores it by default, but can also forward it upstream.
How is it different fromβ¦
dnscat2 strives to be different from other DNS tunnelling protocols by being designed for a special purpose: command and control.
This isnβt designed to get you off a hotel network, or to get free Internet on a plane. And it doesnβt just tunnel TCP.
It can tunnel any data, with no protocol attached. Which means it can upload and download files, it can run a shell, and it can do those things well. It can also potentially tunnel TCP, but thatβs only going to be added in the context of a pen-testing tool (that is, tunnelling TCP into a network), not as a general purpose tunnelling tool. Thatβs been done, itβs not interesting (to me).
Itβs also encrypted by default. I donβt believe any other public DNS tunnel encrypts all traffic!
You can download dnscat2 here:
Win32 Client β dnscat2-v0.05-client-win32.zip
Linux x86 Client β dnscat2-v0.05-client-x86.tar.bz2
Linux x64 Client β dnscat2-v0.05-client-x64.tar.bz2
Server β dnscat2-v0.05-server.zip
[adsense size='3']
Or read more here.
Gloss