WEBVTT 00:00:01.100 --> 00:00:05.120 In this course, I will use the Windows VM as the victim machine, 00:00:05.290 --> 00:00:08.820 where the dnscat2 client will be deployed, 00:00:08.820 --> 00:00:10.800 and the server. 00:00:11.390 --> 00:00:15.000 I will use a Kali VM to form a direct connection 00:00:15.000 --> 00:00:16.750 between the client and the server. 00:00:17.810 --> 00:00:19.300 And later on in the course, 00:00:19.310 --> 00:00:25.150 I will use a cloud‑hosted VM that will be set up as an authoritative DNS server, 00:00:25.870 --> 00:00:30.010 and the traffic will be routed through the public DNS infrastructure. 00:00:31.200 --> 00:00:36.660 Based on the DNS protocol, the tunnel is based on the client sending DNS queries, 00:00:36.840 --> 00:00:40.050 asking for commands, or sending information. 00:00:41.240 --> 00:00:43.930 The way you control the victim machine will be through 00:00:43.930 --> 00:00:47.530 commands that are embedded in the DNS responses. 00:00:47.530 --> 00:00:51.460 Do note here that the direct communication channel 00:00:51.460 --> 00:00:54.550 between the victim and the dnscat2 server, 00:00:54.550 --> 00:00:57.950 while it will be fast, it can easily be detected. 00:00:59.570 --> 00:01:04.160 The second mode of operation is based on traversing the DNS hierarchy. 00:01:05.239 --> 00:01:07.850 This also requires owning a domain name, 00:01:07.860 --> 00:01:11.220 for which the authoritative server will be the machine 00:01:11.230 --> 00:01:14.070 where dnscat2 server will be installed. 00:01:15.700 --> 00:01:19.110 Moving forward with setting up dnscat2, 00:01:19.110 --> 00:01:23.460 the server component of dnscat2 requires Ruby. 00:01:24.540 --> 00:01:26.880 If you're using a recent version of Kali, 00:01:26.890 --> 00:01:31.910 Ruby is already installed, but if you're deploying dnscat2 on another machine, 00:01:31.920 --> 00:01:34.000 it's worth considering installing it. 00:01:35.470 --> 00:01:39.890 The client component has native binaries for the most common platforms, 00:01:39.900 --> 00:01:41.670 including Windows and Linux. 00:01:42.630 --> 00:01:45.690 Links to where to download them can be found on GitHub. 00:01:47.110 --> 00:01:51.010 Another aspect to consider is that the server must be running 00:01:51.010 --> 00:01:54.580 before any client can connect to it; otherwise, 00:01:54.590 --> 00:01:56.670 the client will attempt the connection, 00:01:56.750 --> 00:02:01.250 and it will terminate if it does not find a dnscat2 server. 00:02:02.740 --> 00:02:04.700 Once the session is established, 00:02:04.710 --> 00:02:07.320 there are a couple of important commands for managing the 00:02:07.320 --> 00:02:10.310 session that is good for you to be familiar with. 00:02:11.340 --> 00:02:14.190 Help will provide the full list of commands. 00:02:15.240 --> 00:02:20.690 Windows will list all the existing sessions, and to interact with 00:02:20.690 --> 00:02:23.910 the session, you have to use the ‑i parameter, 00:02:23.920 --> 00:02:26.530 followed by the ID Number of the session. 00:02:28.110 --> 00:02:33.300 Another good tip for a common issue that you might run into, if you're trying 00:02:33.300 --> 00:02:40.510 to set up dnscat2 server on Ubuntu systemd‑resolved might be using port 53, 00:02:40.560 --> 00:02:44.850 preventing you to run dnscat2 on the native DNS port. 00:02:45.940 --> 00:02:51.050 A quick fix for this is to disable the service by using the commands above. 00:02:52.440 --> 00:02:56.960 Please note that this will stop the DNS resolution service for your machine, 00:02:57.250 --> 00:02:59.750 so you may need to re‑enable it later.