WEBVTT 00:00:01.270 --> 00:00:02.510 In a previous scenario, 00:00:02.520 --> 00:00:07.060 I've mentioned that I have disabled antivirus because the client gets detected. 00:00:07.200 --> 00:00:11.310 Most antivirus and endpoint detection capabilities already flag 00:00:11.310 --> 00:00:15.130 the presence of the dnscat client executable. 00:00:15.130 --> 00:00:20.450 An option here is to build it yourself from the available source code, 00:00:20.880 --> 00:00:23.560 and then use common obfuscation techniques. 00:00:25.090 --> 00:00:31.530 A second option is to use an alternative dnscat2 client for file‑less execution. 00:00:33.040 --> 00:00:37.210 There is a PowerShell implementation of the client created by Luke Baggett, 00:00:37.340 --> 00:00:39.150 and it's available on GitHub. 00:00:42.130 --> 00:00:43.750 So let's test this out. 00:00:44.690 --> 00:00:50.470 We will load the dnscat2 PowerShell module, and we'll run it to establish a 00:00:50.470 --> 00:00:56.560 DNS tunnel. We're once again using the cloud‑hosted droplet. 00:00:56.720 --> 00:01:01.820 I have already connected to it via SSH. Similar to the previous 00:01:01.820 --> 00:01:04.890 scenario, we're starting the dnscat2 server, 00:01:05.129 --> 00:01:09.050 and we use the globonamtics.com domain as the parameter. 00:01:09.800 --> 00:01:15.800 This does not change regardless of the client. Switching to our 00:01:15.800 --> 00:01:22.130 victim machine, this is the GitHub repository for dnscat2 00:01:22.140 --> 00:01:26.040 PowerShell, and scrolling through the ReadMe file, 00:01:26.230 --> 00:01:29.700 we can identify the command to load this module into memory. 00:01:30.080 --> 00:01:33.230 Below are also a few examples on how this can be 00:01:33.230 --> 00:01:36.900 used. So we'll copy this long string. 00:01:39.240 --> 00:01:41.290 We open up a PowerShell terminal. 00:01:43.790 --> 00:01:48.650 We paste the string and press Enter to download and load it into memory. 00:01:49.740 --> 00:01:54.350 Now we can just launch dnscat2 PowerShell client by specifying 00:01:54.360 --> 00:01:59.030 our domain. Please note that usually these commands can be 00:01:59.030 --> 00:02:01.280 chained together into a single command. 00:02:03.200 --> 00:02:09.590 Now this is running without any issues, so we'll switch to the cloud VM. 00:02:09.590 --> 00:02:15.260 We'll run windows to view the existing sessions, and we can see a DNS 00:02:15.260 --> 00:02:17.930 tunnel is established with the victim machine. 00:02:18.980 --> 00:02:23.880 Next, we'll interact with this session, and as proof of 00:02:23.880 --> 00:02:26.540 concept, we'll execute the calculator. 00:02:28.400 --> 00:02:31.800 Switching to the victim machine, we can see the calculator 00:02:31.810 --> 00:02:34.350 is being executed with a bit of delay.