WEBVTT

00:00:01.040 --> 00:00:06.990
Welcome to Exfiltration with Dnscat2. My name is Cristian Pascariu, and

00:00:06.990 --> 00:00:11.410
in this course, you will learn how to bypass network defenses, and manage

00:00:11.410 --> 00:00:16.530
to exfiltrate data during Red Team and penetration testing engagements.

00:00:16.530 --> 00:00:20.550
dnscat2 is a DNS tunneling tool.

00:00:21.810 --> 00:00:26.160
It's created by Ron Bowes and is designed to create an encrypted

00:00:26.210 --> 00:00:29.750
command and control channel over the DNS protocol.

00:00:30.740 --> 00:00:36.290
One unique aspect of dnscat2 is its ability to leverage legitimate DNS

00:00:36.290 --> 00:00:42.730
infrastructure and enable you to exfiltrate data. It's available on GitHub,

00:00:42.730 --> 00:00:46.900
where you'll find detailed instructions on how to set it up,

00:00:47.090 --> 00:00:51.030
documentation about the protocol, and many other tips and tricks.

00:00:52.240 --> 00:00:56.410
dnscat2 has two components, the client, which should be

00:00:56.410 --> 00:00:58.550
deployed on a compromised machine,

00:00:59.140 --> 00:01:02.010
and the server, which should be deployed on an

00:01:02.010 --> 00:01:06.350
authoritative DNS server. And later in this course,

00:01:06.350 --> 00:01:12.170
we'll cover what this actually means. In relation to the kill chain,

00:01:12.170 --> 00:01:16.500
data exfiltration is an action that is performed after you have gained

00:01:16.500 --> 00:01:21.260
the foothold into an environment, and you have an undetected persistent

00:01:21.260 --> 00:01:23.460
connection to a compromised machine.

00:01:25.640 --> 00:01:28.440
Let's now take a look at the Mitre Att&ck framework,

00:01:28.450 --> 00:01:31.150
and see where dnscat2 fits in.

00:01:32.270 --> 00:01:36.680
Our tool falls under the command and control and exfiltration

00:01:36.680 --> 00:01:42.200
tactics. As dnscat2 is based on the DNS protocol,

00:01:42.470 --> 00:01:50.120
it can be classified in the technique T1071 application‑layer protocol, and

00:01:50.120 --> 00:01:57.370
the sub technique 004 DNS. In this course, we'll be focusing on data

00:01:57.370 --> 00:02:02.280
exfiltration and the specific technique that we'll be covering is T1048,

00:02:02.280 --> 00:02:06.150
Exfiltration Over Alternative Protocol.

00:02:07.720 --> 00:02:12.100
As dnscat2 is able to encrypt data between the client and the server,

00:02:12.100 --> 00:02:17.930
the sub technique 001, Exfiltration Over Symmetric Encrypted Non‑C2

00:02:17.930 --> 00:02:24.090
Protocol also applies. To successfully mount an attack during a Red Team

00:02:24.090 --> 00:02:27.960
engagement, persistent access to a compromised machine is a

00:02:27.960 --> 00:02:34.400
prerequisite. dnscat2 can establish a second communication channel to be

00:02:34.400 --> 00:02:39.550
used for data exfiltration. The benefit of this is that if it gets

00:02:39.550 --> 00:02:43.830
detected and blocked, you will still have access to the compromised machine.