WEBVTT 00:00:01.140 --> 00:00:05.130 One very important aspect is that establishing a DNS tunnel 00:00:05.140 --> 00:00:08.590 over the public DNS infrastructure requires that you have 00:00:08.590 --> 00:00:11.270 control of a publicly‑registered domain. 00:00:13.040 --> 00:00:17.850 For the purpose of this course, I have registered globonamtics.com, 00:00:18.630 --> 00:00:23.890 which is similar to Globomantics.com, the name of a fictitious company. 00:00:25.560 --> 00:00:31.150 The dnscat2 server will act as the authoritative DNS server for this domain. 00:00:32.740 --> 00:00:36.670 In the case that we want to use the root domain, this works as follows. 00:00:38.240 --> 00:00:41.280 Your domain name is managed by the registrar. 00:00:42.020 --> 00:00:45.600 You need to modify the name servers to your custom ones. 00:00:46.940 --> 00:00:49.700 If anybody on the internet is trying to resolve 00:00:49.710 --> 00:00:52.330 anything related to globalnamtics.com, 00:00:52.670 --> 00:00:55.780 they will have to forward the requests to ns1 and 00:00:55.780 --> 00:01:00.350 ns2.globnamtics.com So what are the servers? 00:01:01.900 --> 00:01:06.490 You'll have to configure these names with the IP address of your C2 server. 00:01:06.610 --> 00:01:10.450 This will route all DNS requests for everything related to 00:01:10.450 --> 00:01:14.620 globonamtics.com to the C2 server that you control, 00:01:14.720 --> 00:01:18.100 thus becoming the authoritative DNS server. 00:01:20.120 --> 00:01:22.950 A second option is to use only a subdomain. 00:01:23.840 --> 00:01:26.790 If you're using separate name servers for your domain, 00:01:26.910 --> 00:01:29.420 you can add an additional NS record. 00:01:29.540 --> 00:01:32.650 For example, we want to use C2 subdomain. 00:01:33.410 --> 00:01:39.180 Requests for C2.globonamtics.com can be handled by ns1.globalnamtics.com. 00:01:39.180 --> 00:01:45.670 And similar to the previous scenario, who is ns1.globonamtics.com? 00:01:45.900 --> 00:01:46.520 Well, 00:01:46.530 --> 00:01:50.630 you'll need to add on A record defining ns1 and the 00:01:50.630 --> 00:01:52.950 IP address of your C2 server. 00:01:55.040 --> 00:02:00.220 Now that we have covered the intricate details of setting up the DNS records, 00:02:00.230 --> 00:02:04.070 it's time to look at the bigger picture and put all the things together. 00:02:05.380 --> 00:02:09.100 The compromised machine cannot make outbound DNS requests, 00:02:09.110 --> 00:02:11.039 as this is blocked by the firewall. 00:02:12.690 --> 00:02:16.950 DNS requests are only allowed through the corporate DNS server, 00:02:18.340 --> 00:02:22.520 and this will be allowed to make requests to public DNS servers, 00:02:24.140 --> 00:02:28.690 which will be routed to the C2 server that you control. 00:02:28.690 --> 00:02:34.070 In other scenarios, there might be some other intermediate name servers, 00:02:34.330 --> 00:02:36.150 but this does not change the outcome. 00:02:36.410 --> 00:02:43.040 And this is how a DNS tunnel can be set up over a legitimate DNS infrastructure. 00:02:43.040 --> 00:02:49.090 To replicate the setup you might use during an actual Read Team exercise, 00:02:49.540 --> 00:02:51.490 I use a cloud‑hosted VM, 00:02:51.560 --> 00:02:57.550 which I connected to via SSH and deployed dnscat2 server. 00:02:59.140 --> 00:03:05.090 This host is the authoritative DNS server for globonamtics.com domain. 00:03:05.090 --> 00:03:07.230 Once the server is up, 00:03:07.230 --> 00:03:10.880 setting up the DNS tunnel from the victim machine is quite easy. 00:03:14.020 --> 00:03:17.330 To put things into perspective, we'll go through another demo. 00:03:18.310 --> 00:03:22.700 We will establish a DNS tunnel traversing the DNS hierarchy. 00:03:24.020 --> 00:03:27.360 For this, I will use the globonamtics.com domain, 00:03:28.740 --> 00:03:33.450 and the tunnel will be set up over legitimate DNS infrastructure 00:03:33.450 --> 00:03:37.350 with the goal of exfiltrating information. 00:03:39.140 --> 00:03:42.180 To make our exfiltration scenario more interesting, 00:03:42.230 --> 00:03:45.560 I have a file with dummy data on the victim machine, 00:03:46.040 --> 00:03:49.550 that we will try to exfiltrate to our cloud‑hosted VM. 00:03:50.480 --> 00:03:54.380 Moving forward, to test that the authoritative DNS works, 00:03:54.560 --> 00:04:00.570 we'll use netcat on the cloud VM, listening for UDP packets on port 53, 00:04:00.570 --> 00:04:02.240 corresponding to DNS. 00:04:03.440 --> 00:04:05.350 Switching to our victim machine, 00:04:05.460 --> 00:04:09.590 we'll attempt to do an nslookup for globonamtics.com domain. 00:04:10.410 --> 00:04:12.160 We get the time out response, 00:04:12.740 --> 00:04:16.329 and this is normal because netcat only listens and 00:04:16.329 --> 00:04:19.459 will not do any DNS resolution. 00:04:19.459 --> 00:04:25.190 Switching back to the cloud VM, we see the query for globonamtics.com. 00:04:26.440 --> 00:04:28.040 Now that this works, 00:04:28.120 --> 00:04:33.240 let's start up dnscat2 server with our domain as the parameter. 00:04:33.240 --> 00:04:38.750 On the victim machine, starting up dnscat2 will be a bit different. 00:04:39.180 --> 00:04:41.900 Rather than using the server IP address, 00:04:41.980 --> 00:04:45.260 we'll use the globonamtics.com as a parameter, 00:04:46.340 --> 00:04:49.260 and we can see that the session has been established. 00:04:50.940 --> 00:04:54.600 We want to interact with this newly‑established DNS tunnel, 00:04:54.600 --> 00:04:58.310 and in order for us to browse the files on the victim machine, 00:04:58.390 --> 00:04:59.660 we'll start up a shell. 00:05:01.040 --> 00:05:02.780 We'll use the DIR command. 00:05:03.980 --> 00:05:08.390 We'll go through the documents folder and run DIR again. 00:05:10.090 --> 00:05:11.530 And we can see the file. 00:05:14.310 --> 00:05:17.880 Now we'll go back to the main window by pressing Ctrl+Z. 00:05:18.680 --> 00:05:22.650 Now we'll interact with the session corresponding to the DNS tunnel, 00:05:24.390 --> 00:05:28.380 and we will download the sensitive file using the path on the victim 00:05:28.380 --> 00:05:32.670 machine and the local path where dnscat2 server is running. 00:05:34.640 --> 00:05:39.140 Because the entire file will get transferred over legitimate DNS servers, it 00:05:39.140 --> 00:05:45.480 might take a while. Skipping ahead, the file has been exfiltrated from the 00:05:45.480 --> 00:05:52.500 victim machine. We will do a quick check by opening the file, and we can see 00:05:52.500 --> 00:05:54.410 the dummy‑sensitive information. 00:05:58.190 --> 00:06:01.560 Now I want to add a couple of tips to avoid detection. 00:06:02.740 --> 00:06:07.960 By default, dnscat2 will use text and also CNAME records, 00:06:07.970 --> 00:06:10.350 which are not common in high quantities. 00:06:11.340 --> 00:06:15.650 To reduce the chances of getting caught, you can use A‑type records. 00:06:17.740 --> 00:06:23.060 A second piece of advice is to introduce a delay measured in milliseconds. 00:06:23.070 --> 00:06:27.390 This might increase the amount of time it takes to exfiltrate information, 00:06:27.750 --> 00:06:32.850 but on the other hand, it will reduce peaks with high amounts of DNS traffic. 00:06:33.840 --> 00:06:38.130 Now these also depend on the dnscat version that you're using.