DNS Tunnel Bounce Shell
dnscat2 is an open source software that uses the DNS protocol to create encrypted C&C channels and authenticates through pre-shared keys; using Shell and DNS query types (TXT, MX, CNAME, A, AAAA), multiple simultaneous sessions are similar Tunneling in SSH. The client of dnscat2 is available in Windows and Linux versions, and the server is written in Ruby language. Strictly speaking, dnscat2 is a command and control tool.
There are two modes for using dnscat2 tunnel, namely direct connection mode and relay mode:
- Direct connection mode: The client directly initiates a DNS resolution request to the DNS server with the specified IP address.
- Relay mode: DNS is iteratively parsed by the Internet and points to the designated DNS server. Relay mode is slower compared to direct mode
If the target intranet allows all DNS requests, dnscat2 will use direct connection mode to communicate through UDP port 53 (no domain name is required, it is fast, and it still looks like a normal DNS query). In the request log, all domain names start with dnscat, so the firewall can easily detect the direct mode communication.
If requests from the target intranet are limited to whitelist servers or specified domains, dnscat2 will use relay mode to apply for a domain name and designate the server running the dnscat2 server as a trusted DNS server.
The application scenarios of DNS tunnels are as follows: In an intranet environment with strict security policies, common C&C communication ports will be monitored by many security devices. This network segment only allows whitelist traffic to go out, and other ports are blocked. Traditional C&C communication cannot be established. In this case, you can use the DN