DNS Tunneling is the common skill to bypass proxy, IPS or firewall to communicate with the external C2 server. It usually achieves via querying TXT and CNAME record. The query and response data is usually encoded by hex-encode. Let me do some example below:
Let’s describe a little bit about how DNS Tunneling works. There is one infected client polling the server with the following query string:
Query: Request TXT record for “61726574686572656E6577636F6D6D616E64730D0A.tunnel.com”
If you decodes the string “61726574686572656E6577636F6D6D616E64730D0A”, it means “aretherenewcommands”. If the server has the command want client to execute, the server will response the string “686F73746E616D65” which means hostname.
In order to achieve DNS Tunneling, we have to have the access and control to the client and DNS server. Here I will use dnscat2 to demonstrate how to use DNS Tunneling to communicate with C2 and execute the command on the victim from our Kali machine.
DNS Server
As my previous saying, in order to achieve DNS Tunneling, you have to have the control to DNS server. In this demonstration, I use DNSMasq as my DNS server. If you want to know how to setup DNSMasq, please refer to my previous Medium article here. In the /etc/dnsmasq.conf, please add the following line and restart the dnsmasq service.
server=/tunnel.com/192.168.0.74
The ip here in the configuration is the ip address of your Kali machine running dnscat2 server.
Kali Machine
Kali has the dnscat2 package in the repository. You can easily install dnscat2 on the Kali machine. Please use the apt install dnscat2 command to install dnscat2. Once you install it, please execute the dnscat2-server followed by the domain name configured on the dnsmasq.conf. Please see the following
dnscat2 will encrypt connections by default, but we may also specify the pre-shared key in any case of man-in-the-middle situation.
Victim Machine
On the victim machine, since we are using Windows 10 as our operating system, we have to download the pre-built dnscat2 client executable first. We can download it from here. Once we have the executable on the system, we can easily execute it followed by the domain name as well. In order to showcase the whole DNS query during the DNS Tunneling, I will also open up the WireShark to listen all DNS traffic as well. Please see the following to use dnscat2 to connect back to our C2 server which is Kali machine.
Communication between C2
Once the connection has been established, we can go back to our Kali machine to execute whatever command you want.
And then we go back to our WireShark, we can observe lots of DNS CNAME and TXT query, all the query string is encoded by hex-encode followed by tunnel.com domain name. Please see below.
Conclusion
As an experienced pentester, bypassing all the network filters is one of the criticle jobs. In most organisations, DNS traffic will treat as the normal traffic and usually will not be monitored and inspected. With DNS Tunneling technique, we can easily establish the communication with our C2 server outside of the organisation.
Hope this article helps you in any way. Happy bypassing.
