WEBVTT

00:00:01.210 --> 00:00:05.160
In the first demo, I will only use two virtual machines in my lab.

00:00:05.240 --> 00:00:07.660
You can easily replicate this on your own.

00:00:07.910 --> 00:00:12.950
I will use a Windows VM as the victim and the Kali VM to host the server.

00:00:14.240 --> 00:00:15.780
Once the server is running,

00:00:15.850 --> 00:00:20.730
I will attempt to establish a direct connection from the victim to the Kali VM.

00:00:23.320 --> 00:00:25.490
To get a better understanding of the tool,

00:00:25.610 --> 00:00:27.720
we'll quickly go through a hands on demo.

00:00:27.840 --> 00:00:30.470
We'll deploy dnscat2.

00:00:30.470 --> 00:00:33.880
We will install the client on the victim machine,

00:00:33.890 --> 00:00:37.650
and please consider that this might get detected by the antivirus,

00:00:37.710 --> 00:00:43.190
which I have disabled in advance. And the server component on the Kali VM.

00:00:44.040 --> 00:00:47.430
And then we'll establish a dns tunnel between the two.

00:00:49.540 --> 00:00:53.350
I'm currently logged into the Windows victim virtual machine.

00:00:53.940 --> 00:00:58.370
And what you're seeing is the Github repository for dnscat2.

00:00:59.640 --> 00:01:02.250
All the important information about installing,

00:01:02.260 --> 00:01:05.700
configuring and troubleshooting, you can find it here.

00:01:07.340 --> 00:01:09.740
After we scroll down a bit through the README file,

00:01:10.490 --> 00:01:13.400
there is a specific section called Where to get it.

00:01:13.690 --> 00:01:16.760
And here you're presented with multiple options,

00:01:17.080 --> 00:01:20.500
including to download the source code from Github and build it

00:01:20.500 --> 00:01:23.450
yourself or to download the pre‑built versions.

00:01:24.240 --> 00:01:27.410
For this demo, I will use the pre‑compiled versions.

00:01:28.640 --> 00:01:33.590
I have already downloaded v0.07 for the client and the server.

00:01:35.240 --> 00:01:38.290
One important aspect to keep in mind is that these

00:01:38.290 --> 00:01:41.000
versions will be detected by antivirus.

00:01:41.640 --> 00:01:45.650
A quick check on virus total shows us that the client version is

00:01:45.650 --> 00:01:50.190
detected by 49 out of the 72 antivirus engines.

00:01:51.190 --> 00:01:56.550
Now we'll move forward by opening a terminal to launch the dnscat2 client,

00:01:56.940 --> 00:02:01.240
which I have already downloaded a copy on the victim virtual machine.

00:02:02.510 --> 00:02:07.750
To get acquainted with the command line parameters, you can use ‑h for help.

00:02:08.639 --> 00:02:11.150
This will display some of the key parameters

00:02:11.160 --> 00:02:13.750
required for establishing a dns tunnel.

00:02:14.500 --> 00:02:18.430
But before this, I need to set up dnscat2 server.

00:02:19.310 --> 00:02:21.650
Now I will switch to the Kali VM.

00:02:22.270 --> 00:02:25.210
I will go through the dnscat2 server directory.

00:02:26.080 --> 00:02:28.070
Let's also check the instructions.

00:02:29.210 --> 00:02:30.500
On the Github page,

00:02:30.940 --> 00:02:35.450
please note that there are specific instructions on how to set up the server.

00:02:36.080 --> 00:02:39.820
The author recommends using bundler to manage dependencies,

00:02:40.010 --> 00:02:41.760
so I will install it as well.

00:02:42.840 --> 00:02:47.750
Now I can install all the required dependencies using sudo bundle install.

00:02:48.440 --> 00:02:50.050
And now we should be good to go.

00:02:51.230 --> 00:02:54.740
We'll launch the dnscat2 server with the following

00:02:54.740 --> 00:02:59.160
command: sudo ruby and then dnscat2.rb.

00:03:00.490 --> 00:03:01.890
And as you can see,

00:03:01.930 --> 00:03:05.590
there are a couple of warning messages which hinder our usage.

00:03:05.820 --> 00:03:11.600
To get rid of this, you can add the ‑W0 to suppress warnings.

00:03:12.800 --> 00:03:16.200
By using this, the warnings are no longer displayed.

00:03:17.440 --> 00:03:21.680
With the dnscat2 server running, we can also start the client to

00:03:21.680 --> 00:03:27.340
connect to our server. For this, we need to explicitly state what

00:03:27.340 --> 00:03:30.170
dns server the client will connect to.

00:03:30.560 --> 00:03:36.490
And this will be the IP address of the Kali VM. Adding the ‑ping

00:03:36.490 --> 00:03:41.140
option will test if there is a dnscat2 server at the specified IP.

00:03:41.140 --> 00:03:44.770
And we see we get a positive answer.

00:03:46.040 --> 00:03:49.200
Now we can establish the actual direct dns tunnel.

00:03:50.170 --> 00:03:52.320
The command is similar to the previous one,

00:03:52.420 --> 00:03:55.030
and you only have to remove the ‑ping option.

00:03:56.300 --> 00:03:59.670
And we have managed to successfully establish a dns tunnel.

00:04:00.340 --> 00:04:04.330
One thing to keep in mind is that we get this information because it's running

00:04:04.330 --> 00:04:08.670
in the terminal. In a real attack exercise, this would be invisible to the

00:04:08.670 --> 00:04:14.260
victim. To get a better sense of what is happening on the network, we'll open up

00:04:14.260 --> 00:04:20.470
Wireshark on the victim machine with the filter for dns, and you can see what

00:04:20.470 --> 00:04:22.450
the dns tunnel actually looks like.

00:04:23.520 --> 00:04:27.840
Now we'll take a look at the server side. To see the existing

00:04:27.840 --> 00:04:30.270
sessions, we'll use the Windows function,

00:04:31.140 --> 00:04:34.050
and we can see the session from the Windows 10 victim

00:04:34.050 --> 00:04:38.420
machine. To interact with the session, we'll use the window

00:04:38.420 --> 00:04:41.170
‑i and then the id of the tunnel,

00:04:41.560 --> 00:04:47.670
which is 1 in this case. One of the interesting commands is exec, where

00:04:47.670 --> 00:04:52.500
we can execute commands on the victim machine. For testing purposes,

00:04:52.550 --> 00:04:59.670
we'll open up the calculator by typing exec and calc.exe. We'll quickly

00:04:59.670 --> 00:05:01.350
switch to the victim machine,

00:05:01.410 --> 00:05:06.360
where we can see the calculator displayed. In an actual exercise, this

00:05:06.360 --> 00:05:12.580
can be used to execute other programs or utilities. Back to the dnscat2

00:05:12.580 --> 00:05:18.500
server. To go back and exit the session, you can press ctrl+z. Don't

00:05:18.500 --> 00:05:24.350
press ctrl+c or ctrl+x or it will terminate the server. To terminate

00:05:24.360 --> 00:05:28.870
processes or session, we can use the kill command followed by the id

00:05:28.870 --> 00:05:30.320
number of the session.

00:05:32.240 --> 00:05:35.660
Now, there are a couple of aspects where this might not work as

00:05:35.660 --> 00:05:40.880
expected, during an actual red team exercise. Due to firewall

00:05:40.880 --> 00:05:44.700
restrictions, outbound dns traffic from individual hosts on the

00:05:44.700 --> 00:05:46.250
network may be blocked.

00:05:46.840 --> 00:05:50.550
An address resolution is done through an internal dns server.

00:05:51.690 --> 00:05:56.100
In the direct connection scenario, dns tunneling can be detected by

00:05:56.100 --> 00:05:59.290
monitoring clients for increased dns traffic.

00:06:00.480 --> 00:06:04.880
In the direct connection scenario, dns tunneling can be detected by

00:06:04.880 --> 00:06:08.100
monitoring clients for increased dns traffic.

00:06:09.140 --> 00:06:09.810
Next,

00:06:09.980 --> 00:06:13.180
we look at the second mode of operation, to connect to the

00:06:13.180 --> 00:06:17.050
dnscat2 server by traversing the dns hierarchy.