DNS Tunneling
In this method DNS protocol is exploited to both exfiltrate and infiltrate data from a network. DNSCat2 tool is used for both running as a DNS server, at the control system end, and DNS client, at the compromized system end, to pass data between the systems. This tools comes handy in situations where DNS protocol is the only protocol allowed by the firewall that separates both the networks.
The DNS server has to be started on the system that you have direct control over using the following command,
Then the DNScat client binary has to be transferred to the compromized system using other channels and you should be able to execute commands on this system to start the dnscat client. This does present a significant hurdle as the tool by itself is being used in a scenario where other protocols and access are unavailable. However, the tool along with the initial command has to be delivered to the compromized system. The following command has to be executed,
Once the connection is successfull an inidicating message will be displayed in the terminal. The following commands can be executed at the server end to access a service on that system or network through the DNS protocol. In this scenario we take it that the target system is running a mysql db accessible only locally,
The last command will create a listening port on the control system to channel all sql commands to the target system on the port 3306. Since mysql accepts only local connection 127.0.0.1:3306 is used as a loop back on the target system.
In scenarios where a different system has to be accessed the IP Address along with the port should be used as the parameter in the above command.
The command execution and return of the results can be noticeably slow since each command and the data has to be passed as part of a DNS command.
Last updated